Home Resources Blog February 2024

Navigating the resilience landscape: Understanding and implementing ISO 22301

20 February 2024
10-minute read

Discover the key to resilience with ISO 22301 (Business Continuity Management), written by ISO consultants and Associate Partner Programme (APP) members, Blackmores.

An introduction to ISO 22301 (Business Continuity Management)

Resilience and continuity planning are more critical than ever.

ISO 22301 (Business Continuity Management) is a globally recognised standard guiding organisations to establish, implement and maintain an effective business continuity management system (BCMS).

This blog delves into the ISO 22301 standard and its requirements. We also discuss how ISO 22301 integrates with other ISO standards and how organisations can adapt their principles to enhance their own management systems.

Before we start: Key terms & acronyms

ISO 22301 mentions standard-specific terms throughout.

For the purpose of this blog, to help you understand the fundamentals of this standard, we have written the terms in full. However, you may come across ISO 22301 acronyms elsewhere, such as:

  • BCM = Business Continuity Management

  • BCMS = Business Continuity Management System

  • BCP = Business Continuity Plan

  • BIA = Business Impact Assessment

What is the ISO 22301 standard?

ISO 22301 (Business Continuity Management) provides a basis for planning to ensure your long-term survivability following a disruptive event.

Put simply, it helps establish a comprehensive process to ensure the continuation and improvement of business in the face of whatever challenges your organisation may encounter.

The COVID-19 pandemic is an extreme example of this, where virtually all businesses had to pivot quickly in order to survive.

ISO 22301 identifies the fundamentals of business continuity management, providing a basis for understanding, developing and implementing it within your organisation.

The ISO 22301 standard specifies the requirements to:

  • Identify crucial risk factors already affecting your organisation

  • Understand your organisation’s needs and obligations

  • Establish, implement and maintain your business continuity management system

  • Measure your organisation’s overall capability to manage disruptive incidents

  • Guarantee conformity with your stated business continuity policy

Explore the requirements in more detail with the NQA ISO 22301 introductory virtual training.

What is required to implement ISO 22301?

Implementing ISO 22301 requires a systematic approach. It focuses on understanding the organisation's needs to establish a robust business continuity management system.

Business continuity is a major topic to tackle in any business. To help you get started, we break down what the creation of a business continuity management system involves:

Leadership commitment

Leadership must be involved in defining roles, policies, and objectives.

Before embarking on your implementation journey, you must have this top management support from the start.

Gap analysis

As with any ISO standard, we recommend you start with a gap analysis.

This is key to understanding what is already in place from a resilience perspective, and what vulnerabilities must be addressed.

Context review

A context review enables you to understand the wider internal and external issues that can impact the business – both positively and negatively.

It also acts as a starting point to identify interested parties that may need to get involved with your business continuity plan (BCP). For example, key suppliers your business may depend upon.

Business impact assessment (BIA) and risk assessment

Both of these require you to look at the activities undertaken by your organisation that enable you to run your business effectively – generating profit and satisfying customer needs.

By reviewing these key activities, and then fully understanding the potential risks that may disrupt your ability to perform, you can start exploring where you may need a ‘Plan B’ – effectively your business continuity strategy and plans.

A robust business impact assessment will look at:

  • Your activities and what they support in terms of services and other departments

  • The impact of disruption on the business (i.e. reputation, financial penalties, legal compliance, revenue, etc)

  • Defining your maximum period of disruption

  • Understanding how to recover your position if a disaster strikes (e.g. backup data)

Business continuity plans

Your business impact and risk assessment results will help develop appropriate business continuity and supporting response plans.

Response plans look to cover:

  • Any assumptions made in the plan

  • Responsibilities (including who can invoke and stand down a response)

  • Business recovery objectives

  • Who and/or what is impacted

  • Recovery strategy at a high level

  • Communication requirements

Ideally, response plans then walk through the plan for the following three stages:

  • Emergency phase (incident reported)

  • Recovery phase (response strategy and plan)

  • Restoration phase (return to normal operations)

Training and awareness

Everyone in your organisation must be aware of their role in responding to incidents, and what actions to take to restore services. 

Testing and exercising 

Part of the awareness training and reinforcement can be supported by ‘exercising’ and ‘testing’ the plan as a team.

This is an effective way of walking through the theory, taking the time to consider various scenarios and making informed decisions within a calm environment.

Internal audits

Like with any other ISO standard, you will be required to audit your business continuity management system.

There is a greater focus on awareness and communication in ISO 22301, so you may want to undertake more in-depth awareness interviews during internal audits.

Boost your internal auditing knowledge and skills with the NQA internal auditor virtual training.

Management review

Lastly, you need to review all the key inputs and interactions in the management system and analyse the effectiveness and any potential need for change.

It also reviews objectives and progress made, results of internal audits, supplier performance and so on.

Integration with other ISO standards

ISO 22301, like many ISO standards, is based on the Annex SL framework. This framework provides a high-level structure that enables standards to integrate seamlessly.

Examples of ISO standards that can effectively integrate with ISO 22301 are:

ISO 9001 (Quality Management): Integration with quality management systems enhances consistency and efficiency in organisational processes.

ISO 27001 (Information Security Management): Aligns business continuity with information security, ensuring data protection during disruptions.

ISO 14001 (Environmental Management): Joint implementation can help manage environmental risks and their impact on business continuity.

ISO 45001 (Occupational Health and Safety Management): Combines workplace safety and business continuity, ensuring employee safety during incidents.

The benefits of ISO 22301 integration:

Keep things simple!

Avoids the hassle of maintaining multiple separate management systems, instead providing a cohesive and streamlined integrated management system.

Resource optimisation

Reduces wasted or duplicated efforts and maximises current existing internal resources.

Enhanced risk management

Provides a comprehensive view of potential risks from different perspectives.

Improved performance

Working in synergy improves the overall performance and effectiveness of your management system.

Adopting ISO 22301 elements into a management system

You can benefit from incorporating the key elements of ISO 22301 into your existing management system, even if you aren't yet ready for certification.

What can you adopt?

Risk and impact analysis

Integrate risk assessment tools from ISO 22301 to identify critical business areas and potential impacts.

For example: In light of growing cybersecurity threats, a bank conducts a risk and impact analysis to assess how their operations might be affected by – and how they can prepare for – a data breach. 

Policy and objectives

Adopt the policy structure and objectives-setting approach of ISO 22301 for enhanced clarity and direction.

For example: A manufacturing company sets their annual objectives, applying ISO 22301 principles to identify how potential risks (such as supply chain delays) might obstruct them from reaching those targets.

Incident response plan

Develop and integrate incident response plans based on ISO 22301 guidelines.

For example: A hospital creates an incident response plan to effectively manage unforeseen circumstances (such as a pandemic or natural disaster) and keep patients, staff and visitors safe.

Training and awareness programmes

Implement training programmes to increase awareness and preparedness among employees.

For example: A construction company hosts regular training to teach employees safety protocols, equipment handling and emergency response procedures (such as if a fire breaks out).

Why you should consider adopting these elements:

Increase your resilience

Even partial adoption can significantly enhance organisational resilience.

Stakeholder confidence

Demonstrates a commitment to business continuity, increasing confidence among customers, suppliers, and potential investors.

Better preparedness

Prepares the organisation for possible ISO 22301 certification in the future.

How does Blackmores help clients with ISO 22301?

“Blackmores is always happy to assist with the journey to ISO 22301 certification. To learn more about the general practice of ISO implementation, Blackmores provides a step-by-step guide to everything an organisation needs to plan, create, launch and get certified.”

Download a copy of Blackmores’ ISO Blueprint or visit their website to learn more.

For consulting services offered by Blackmores or any of NQA’s other Associate Partner Programme (APP) consultants, get in touch via sales@nqa.com.

Final thoughts from NQA

NQA thanks Blackmores for this comprehensive blog about ISO 22301 (Business Continuity Management).

The ability to prepare for, adapt and overcome challenges is vital in the modern business landscape – something the ISO 22301 standard offers.

Learn more about ISO 22301 certification. Visit our business continuity management page.

If you would like to write content for NQA as a consultant, please email our marketing team.

Based in the UK and considering the Associate Partner Programme (APP)? Visit our Consultant Area.