ISO 22301 Business Continuity

ISO 22301:2012 for Societal security and Business continuity management will assist your organization in executing a plan if an unforeseen event occurs.

An increase in global threats, large-scale natural disasters, increased volume of pandemic-related concerns, and more instances of companies affected by local and regional power or internet outages have elevated the importance of business continuity. 

Many organizations develop a business continuity plan, which is a one-time exercise and then file the plan on a shelf to collect dust or stored away on an unknown hard drive.  With the increasing frequency of disruptions on an increasingly  technology dependent business environment, companies must focus efforts on their ability to provide services to customers no matter the situation.

ISO 22301 Process

ISO 22301 is a process-based standard similar to ISO 9001, which focuses on business continuity management. When implemented it will help:

  1. Prepare a common method to manage unplanned disruptions;
  2. Install a business-focused approach to keep services running or recover from an outage rapidly;
  3. Reduce the financial impact of an unplanned disruption; and
  4. Provide employees with defined roles and responsibilities in the event of a disaster.

ISO 22301 benefits companies that would like to not only create a business continuity plan, but also be prepared to execute the plan if an unforeseen event occurs. 

An approach that emphasizes the business impact and the associated risks to services, ISO 22301 provides an organization a planning framework, which focuses on the priorities of restoring business services to minimize financial, brand and business impact.

In many cases, organizations have already invested time and resources to resolve specific issues.  For example, a company has invested in cloud solutions with redundant systems to minimize the likelihood of a disruption, identified key suppliers of goods and services, as well as alternate supplier options, or created a business continuity plan that describes the activities that should occur during a disruption. 

ISO 22301 and Government Contracting

By combining the principles and practices of ISO 22301, an organization will be better prepared to respond to unforeseen events.  One additional advantage of implementing ISO 22301 is that the standard has been adopted by FEMA as one of the optional certification standards included in the voluntary Private Sector Preparedness and Accreditation and Certification Program (PS-Prep).  The PS-Prep program was created on the recommendations of the 9/11 Commission. 

By certifying to ISO 22301, an organization will gain increased recognition regarding their commitment to business continuity preparedness.

Since many organizations have started the implementation process to meet customers’ demands, the most pragmatic way to approach ISO 22301 is to evaluate the current system against each of the required processes and controls. 

ISO 22301 Implementation

Many early adopters of ISO 22301 are already certified to one or more standards such as ISO 9001 or ISO 20000. This makes the transition to ISO 22301 easier, as some of the basic requirements of a management system, such as document and record control, are already in place, allowing the company to focus on incorporating new requirements in an existing method.

After implementing the guidance of ISO 22301, registration is a method in which a company can prove that it has successfully implemented the requirements. After documenting processes and performing reviews, a company can then look to an independent auditing company to review their processes and ensure that it is adhering to the developed processes.

At the end of the audit, the company is presented with a certificate that it can provide to existing and potential customers as proof of its commitment to information security.

The challenge that many organizations face in ISO 22301 is that the guidance is general in nature, rather than specific to a particular industry or company.  ISO 22301 is risk-based situation-specific standard. Many companies review the requirements and work to fulfill every one, rather than evaluate the needs of the organization to determine which services should be considered in the business continuity management system and will improve the success of the organization.

When an organization begins to apply the standard to their operations, unnecessary or complicated solutions can be created for simple challenges.  By over applying the standard to your operations, organizations expend precious resources and time, and have a less favorable opinion of the benefits of implementing ISO 22301.

ISO 22301 Time to Certification

Based on the level of flexibility of the standard, many companies are looking to consultants to:

  1. Reduce the timeframe for implementation to meet customer requirements;
  2. Understand how to implement practical business impact analysis and risk assessment methods;
  3. Understand the best approach to integrate ISO 22301 with existing standards;
  4. Implement guidance to ensure that business continuity is a business critical activity, not a static plan; and
  5. Ensure successful initial achievement of certification.

ITG believes in a work-share approach that allows you to determine how much or how little support you need to achieve your objectives.

ITG provides flexible solutions—from complete system development to company specific augmentation—providing valuable insight, advice, and troubleshooting along the way. 

Our goal is to ensure that you understand your system, support you in any way possible, and leave you with the tools to manage your system after implementation. Our job is to understand your needs and provide you with the services that will meet your organizational goals, budget and timeframe.