ISO has published an International Standard addressing business continuity management to contribute making organizations in both public and private sectors more resilient.
ISO 22301:2012, Societal security – Business continuity management systems – Requirements, will help organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruption of any type.
Incidents can disrupt an organization at any time and applying ISO 22301 will ensure that organizations can respond and continue its operations. Incidents take many forms ranging from large scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact and that makes business continuity management relevant at all times.
This has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and disruptive incidents.
ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise.
Dr. Stefan Tangen, Secretary of the ISO technical committee that developed the new standard, states:
“Organizations implementing ISO 22301 will be able to demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM.
“It may also be used within an organization to measure itself against good practice, and by auditors wishing to report to management.”
ISO 22301 will assist organizations in the design of a BCMS that is appropriate to its needs and meets its stakeholders’ requirements. These needs are shaped by legal, regulatory, organizational and industry factors, the organization's products and services, its size and structure, its processes, and its stakeholders.
Dave Austin, the project leader responsible for writing ISO 22301, explains: “To work well, ISO 22301 will need organizations to have thoroughly understood its requirements. Rather than being simply about a project or developing ‘a plan’, BCM is an ongoing management process requiring competent people working with appropriate support and structures that will perform when needed.”
ISO 22301 is the first standard published which is aligned with the new ISO format for writing management systems standards. This will ease understanding and ensure consistency with other management systems, such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO/IEC 27001 (information security management).
ISO 22301 may be used for third-party certification as well as for self assessment. To help users get the best out of the standard, it includes short and concise requirements describing the central elements of BCM.
Given the role of business continuity in every sector, ISO 22301 has a huge worldwide potential. So far, numerous countries have started to adopt ISO 22301, including Singapore and United Kingdom to replace their existing national standards. There is already interest from business worldwide who wish apply good practice and obtain certification against this standard. This attests to its vast potential user base and expected benefits.
ISO 22301 is part of a series of standards developed by ISO technical committee ISO/TC 223, Societal security. For example, an additional document is under development called ISO 22313 which is expected to be published early next year. This companion standard contains guidance for implementing the ISO 22301.
ISO 22301:2012, Societal security – Business continuity management systems – Requirements, is available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, price 116 Swiss francs respectively through the ISO Store or by contacting the Marketing, Communication & Information department.