Guide To ISO 22301 (Business Continuity)
Today's business environment has many organizations placing business continuity at the forefront of their priorities. If you've recently experienced a business disruption, or nearly did, you know just how crucial it is to have a resilient operation. As businesses look closely at their business continuity plans, many have wondered if there is a method for creating the most effective business continuity strategies possible.
If you've wondered the same, you may have stumbled upon the ISO 22301:2019 standard. ISO 22301 is a set of requirements for business continuity management systems (BCMS) from the International Organization of Standards (ISO). Should you get certified to this standard? If you choose to, how can you do so? We have these answers and more in this guide to ISO 22301.
What Is ISO 22301?
ISO 22301 is a standard for a management system to adhere to for business disruptions. The requirements aim to help companies reduce the likelihood of interruptions while also preparing for and responding to them when they arise. A business continuity management system certified to ISO 22301 means the organization:
- Implements, maintains and improves its BCMS
- Conforms to its stated business continuity policy
- Supports resiliency through business disruptions
- Can continue to deliver products and services at an acceptable capacity even during an interruption.
ISO 22301 was initially introduced in 2012 and revised in 2019. While many of ISO's recent revisions have had major changes from previous versions, the 2019 version is very similar to the 2012 one. It has fewer mandatory documents, less prescriptive requirements and new guidelines regarding planning changes to the BCMS. Businesses have until October 31, 2022, to transition to the 2019 version.
ISO 22301 Summary Of Requirements
The framework of ISO 22301 is designed to be integrated with other recognized standards, like ISO 9001 — Quality Management Systems, ISO 14001 — Environmental Management Systems and ISO 27001 — Information Security Management Systems. Like each of these standards, ISO 22301 follows a 10-clause structure (Annex SL), with broad ideas applicable to any organization.
The first three clauses discuss the scope, normative references and terms and definitions related to the standard. The remaining seven provisions list the required elements of an effective business continuity management system and outline how to implement ISO 22301.
Clause 4 — Context Of The Organization
Before you can implement a business continuity management system, you need to understand the business itself. As an organization, you must evaluate internal and external needs and devise the new system's scope. Business leaders also must follow the requirements imposed by interested parties such as regulators, customers and staff.
Clause 5 — Leadership
A business continuity management system needs effective leadership to spearhead its implementation. By prioritizing management commitment, the business can ensure appropriate resources are provided and policies are developed. Business leaders should also see that the right staff members are appointed to implement and maintain the system.
Clause 6 — Planning
As with establishing any new system, adequate planning is central. As part of the planning process, the organization should identify the risks of implementing the BCMS. The company should also set clear objectives and criteria to measure its success.
Clause 7 — Support
To support the BCMS effectively, you need employees with the knowledge, skills and experience to develop and maintain the system and respond to incidents when they occur. All staff should be aware of their roles in responding to incidents. Considering only 14% of businesses have a team dedicated to business continuity, this is crucial.
Supporting the BCMS can include making customers aware of business continuity management issues. When normal communication channels are disrupted, they must be supported through alternate means.
Clause 8 — OperationsThe bulk of the standard is contained in Clause 8, which outlines the operational needs for a BCMS. First, the business needs to understand how disruptions might affect operations. A risk assessment will reveal the threats your business faces. Then, your organization can inform its business continuity strategy most effectively.
As you identify the potential incidents, you design steps to avoid and reduce their likelihood alongside steps to take if they occur. Since it is impossible to predict and prevent all events, worst-case scenario planning is essential. A well-defined incident response structure ensures that responses can be escalated quickly. It also empowers people to take necessary actions. If the incident involves public safety, the response must include communication with affected external parties. For example, a chemical spill at a factory might pose a fire hazard to neighboring buildings.
Clause 8 favors short, quickly understood business continuity plans. These documents should enable a fast response for a given incident. It's usually better to create a strategy for each potential episode than one large plan that encompasses many events.
Further, the ISO standard introduces a consideration other business continuity standards have not addressed — the return to regular business.
The last subsection addresses exercises and tests. Since interruptions can occur at any time, checking that responses will work when needed is crucial. Testing determines if one element of the business continuity arrangements passes or fails. For example, you can test a facility's generator by turning it on. Exercises usually comprise many tests and include nuanced simulations of an incident and the response. Exercises often include training for how to handle events alongside testing for the processes in place.
Clause 9 — Evaluation
As with all management systems, an organization must evaluate its performance. Using established metrics, an organization can measure its performance over time. The organization must also conduct internal audits, where management reviews the results and acts on the information revealed.
Clause 10 — Improvement
Going hand-in-hand with evaluation, the organization must improve the system. ISO 22301 recognizes that no arrangement will be perfect from the start and requires improvement as part of the certification. Further, new threats can arise while the business environment is in constant flux. Therefore, the organization must take corrective actions based on the results of audits, reviews and exercises.
Benefits Of ISO 22301
There are many reasons to implement ISO 22301. The first is having the ability to maintain business operations during a disruption. You can also gain advantages such as:
- Useful business continuity policies: Following the ISO 22301 standard requires you to create robust plans. The idea is to develop strategies for dealing with and even preventing threats. By putting in the work now, you'll develop valuable business continuity policies tailored to your business.
- Robust response and recovery procedures: By implementing short, actionable guidance for many scenarios, you're front-loading the planning for nearly any incident. Your team can quickly put ideas into action, reducing your response time.
- Increased asset and profit protection: Most business disruptions result in revenue loss. Whether the loss of a supplier makes delivering products impossible, or a data breach drives customers to your competitors, you hurt your bottom line. With a BCMS, you can protect profits via strategies to continue serving your customers during incidents. Further, business disruptions resulting from a natural disaster could damage property and other assets. Response procedures can help you mitigate asset damage. They can also help you minimize liquidating assets to keep up with a lost revenue stream.
- Preserved reputation: How your business responds to a crisis can affect your credibility. If a large-scale disaster causes you to delay shipments by more than a month, while your competitors are delayed only a week, your customers will notice. If the tables are turned, you'll gain a positive reputation by beating out your competitors' response times. If your incident involves a health hazard, environmental damage or other harm caused by your company, you can mitigate the effects and preserve your reputation in the public eye.
- Greater visibility into threats: One challenge for many organizations is they simply don't know what to expect. They don't know what risks are possible and which might have the most significant impact. By engaging in a thorough risk assessment, you can uncover these threats. You can also demonstrate to your clients and supply chain that you understand your risks.
- More management involvement: ISO 22301 requires leadership to be heavily involved in the business continuity management system. Through this commitment, you ensure your BCMS is taken seriously across the organization. It motivates employee engagement while showing customers that management is committed to the success of the BCMS.
- Reduced cost for business interruption insurance: With a comprehensive BCMS, you know what you're prepared to handle. You can prevent incidents and recover from them with your internal resources. As a result, you usually need less business interruption coverage. You can eliminate unnecessary policies with confidence, lowering your insurance rates.
- Demonstrated legal compliance: In general, business interruptions will not suspend regulatory requirements. Some incidents will even trigger more legal requirements. Your business continuity strategies can help you meet regulations during difficult times and quickly implement new policies and procedures in response to changing laws.
- Proven business credentials: If you supply to other organizations, you can unlock more opportunities with ISO 22301 certification. Many procurement departments require certification as a way to mitigate their own business interruptions. You'll also earn credibility with proof that you can maintain business continuity and pose a smaller risk to your customers.
Why Is ISO 22301 Important?
A survey of business executives who have faced delivery shortfalls in 2020 revealed 96% blame the limitations of their business continuity plan. After recognizing their vulnerability, only 16% see their operations as resilient to similar future crises.
Business disruption can cause financial loss, damage your reputation and drive away valuable customers. By their very nature, business interruptions are unexpected. A company without a robust business continuity management system in place will fall prey to many issues. Namely, it will take much longer for the business to get back on its feet. That means more lost revenue and more unhappy customers.
While an ISO 22301 compliant business continuity plan won't always stop the next disaster, it can help your business in many ways. Through comprehensive threat analysis and ongoing monitoring, it can allow you to predict the next disruption. Effective response plans can prevent some disasters from causing a business disruption in the first place. When one strikes, your enterprise can kick into recovery mode with preestablished procedures.
ISO 22301 And Returning To Work
Businesses that have temporarily shut down due to COVID-19 should especially be interested in ISO 22301 and its applications for returning to work. Companies are now worried about what happens if a crisis forces another shutdown or massive operational change. Even as businesses reopen, it's hard to say if another interruption is imminent. Anything from a natural disaster to a viral outbreak can cause a company to lock its doors. The good news is that certification to ISO 22301 can help.
Through your BCMS, you can develop the necessary policies to migrate operations remotely where possible. You'll also be prepared to respond to ongoing challenges related to reopening safely. If another temporary closure strikes, you'll be able to continue operations and get back to work sooner.
How Do I Get Certified To ISO 22301?
As the organization that designed the standard, ISO does not issue certifications directly. Instead, they rely on accredited certification bodies, like NQA, to apply their rigorous standards. The ISO 22301 certification process we follow at NQA includes five steps:
ISO certifying bodies use an application to initiate the process. Since any organization of any size or industry can seek certification, this application helps certifying bodies and auditors understand your unique situation. At NQA, our application process is wrapped into our quote request procedure. We use this information to learn about your company and its complexities and requirements. You can complete our quick or formal quote request form to apply. We'll use this information to outline the scope of your certification assessment and provide you with a proposal.
Once you've approved your proposal, you can schedule an appointment with an NQA Assessor. Before you begin your formal assessment process, you'll need to have an established business continuity management system that meets the ISO 22301 requirements to the best of your knowledge. You'll have to demonstrate to your auditor that it has been fully operational for at least three months.
It should have been reviewed via an internal audit and improved on by management during that time. Once these conditions are met, we can perform a third-party examination for you.
3. Initial Certification Audit — Stage 1
The first stage of the audit reviews your documented information. Before we have auditors on the ground during a full assessment, we confirm that your organization follows all the requirements, including those for documenting information related to your business continuity management system. The documented information review will occur at your management system center, which is usually at a company's main office. At this stage, the assessor will confirm:
- The accuracy of the information you submitted on your application.
- The documented BCMS' conformity to the standard's requirements.
- The full implementation of the BCMS.
- The scope of certification.
- The organization's legislative compliance.
At the end of the first stage, your auditor will provide you with a detailed report. You'll be able to see any noncompliance issues as well as suggestions for improvement. If you have any noncompliance issues, the document will outline any corrective action plans required. If the documented information demonstrates a fully compliant BCMS, the auditor will also schedule your stage 2 audit and provide you with an assessment plan for the second stage of the review.
4. Initial Certification Audit — Stage 2
The second stage of the audit assesses if the management system you have in place conforms to the requirements of ISO 22301 and your documented information regarding the system. In other words, the auditor is checking that you do what you say you do. This assessment can depend on your specific organization. If you do site work or have several locations that need ISO 22301 certification, you may need multiple sites audited during the process. At the second stage of assessment, your auditor will:
- Document the objective evidence that proves how the system complies with ISO 22301.
- Audit the operations and activities outlined in your scope of certification.
- Visit all locations where the BCMS is in place to determine if the system is effective off-site from its headquarters.
- Report any nonconformities and opportunities for improvement.
If the auditor finds any noncompliance issues, the body cannot issue certification until you complete corrective actions. If the body verifies that corrective actions were taken within six months, you can get certified without a second stage two audit. Otherwise, you'll have to schedule another review after completing the corrective actions. If you pass stage two, we will provide you with a surveillance plan and schedule a date for your next annual surveillance visit.
If you've passed both stages of your certification audit, congratulations! You have become certified to ISO 22301. NQA will issue your certification as both a hard and soft copy. This way, you can share your certification with procurement officers and other third parties to prove your competence in your BCMS. Your certification will last three years and requires annual surveillance audits. Every three years, you'll need a full system audit for recertification.
Contact The Experts At NQA
Are you ready to get certified to ISO 22301? NQA can help you determine your plan of action and develop a certification proposal that encompasses the areas of your business that you want to be certified. As an accredited certification body, we aim to find aspects to improve with every audit, helping you meet your continual improvement requirements. If your business needs to change its BCMS, we can conduct a gap analysis to discover what you need to do to become compliant.
If you have questions about the certification process, or are wondering if your organization is ready for an audit, reach out to us online or give us a call at (219) 363-6151.