How To Implement Iso 22301 Business Continuity Management System?

By Author: Smith
Total Articles: 39
Comment this article

ISO 22301 is the international standard for Business Continuity Management System. Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unpredicted and disruptive incidents. To do so, the ISO 22301 standard delivers a practical framework for setting up and managing an effective business continuity management system. ISO 22301 purposes to safeguard an organization from a wide range of possible threats and disruptions. This ISO 22301 standard may be correct for organization if organization want to demonstrate to stakeholders that organization can quickly overcome operational disruption to provide continual and effective service.
Steps to Implement ISO 22301:
Management support: It doesn’t make sense to start any kind of project if management isn’t ready to invest both financial and human resources, and to do this, they have to see clear advantages – this is where job begins: with diplomacy.
Identification of requirements: Before taking any concrete steps, organization want to make sure that it will ...
... be compliant with everything the stakeholders want. Remember, it is not only the laws and regulations – it is also the necessities in the agreements with clients, wishes of the owners of the company and the local community, etc. organization have to list all of these requirements and describe how to communicate with each of the stakeholders.
Business continuity policy & objectives: Top management wants to define some of the main responsibilities and rules for business continuity, and this is what a business continuity policy is used for, but top management also wants to describe exactly what is expected from business continuity – by setting measurable objectives. This is not easy, but is certainly essential if organization want to measure whether business continuity has fulfilled its goal.
Support documents for management system: Management systems, whether business continuity, information security, quality management, all have in common a set of procedures upon which such systems depend. These procedures are documents, records control, internal audit, and corrective actions – once these have in place, organization will find it much easier to run system.
Risk assessment & treatment: Would like to be ready for disruptive incidents? Possibly even prevent some of them? First essential to find out which incidents can happen, and then define which controls, organization can apply to mitigate them – this is basically risk assessment and treatment is all about.
Business impact analysis: Analysis doesn’t finish with risk assessment and also essential to find out two basic things: (1) how quickly organization want to recover and (2) what organization want in order to succeed with such recovery. So, the aim of business impact analysis is to define the recovery time objective and essential resources.
Business continuity strategy: Given the inputs organization need to figure out how to accomplish all this with a minimum level of investment. This can be quite challenging, but without this step business continuity would be simply a house of cards.
Business continuity plan: In fact, there are many types of BC plans – at a minimum, there are incident response plans, and recovery plans. All of this necessity to be based on strategy, otherwise they would lack the resources to permit such plans.
Training & awareness: Having plans in place is not sufficient if no one knows how to execute them, organization can rest assure that in case of a real incident they certainly wouldn’t work. So, they need to explain to employees, not only how to perform certain steps in plan, but also why this is significant in the first place.
Documentation maintenance: Written documents have one horrible habit, they become outdated very fast. Someone leaves the company, or new hires come in; change the working processes or a technology, and add new products – all that wants to be reflected in documentation, especially the plans. Without such changes organization wouldn’t be able to execute plans when they are desired the most.
Exercising & testing: However essential, training is not going to be enough – if don’t try the plans to discover how they perform in real situations, never know where they are lacking. So, performing regular exercising and testing is of paramount importance, and such testing shouldn’t be limited to IT only – everyone, including top management and outsourcing partners and suppliers, must be involved.
Post-incident reviews: No matter how they hard try, it will never be able to prevent incidents from happening; what can do, however, is learn from such incidents. And also, can learn quite a lot – how people react, how ready they are, what enhancements are required in the plans, etc.
Measurement and evaluation: The basic idea here is that it doesn’t make sense to do something unless that know whether organization achieved what wanted or not. In the case of business continuity, the objectives, while finding out if achieved those objectives must be done through some kind of metrics. It could be something sophisticated like Balanced Scorecard, but might also be as basic as measure the achievement of RTO during exercising & testing.
Internal audit: It is incredible to objective about individual work. Then, someone who is less subjective than should review work and suggest enhancements – that is what an internal audit is all about. Though it is frequently measured as overhead, an ISO 22301 internal auditor training is actually very beneficial when it comes to facing reality.
Corrective actions: All of us are making daily developments in the things are doing, but ISO 22301 wants to do it systematically – it forces an organization to find out why the problem has happened, and to assure it never happens again. or, as the ISO 22301 standard says, “confirm that nonconformities do not recur” – it wants to be done systematically, and in a transparent way.
Management review: Once all of these steps are performed, top management wants to evaluate them and reach some critical decisions – like updating the objectives, delivering the funding, making larger improvements, etc. After all, it is their ultimate responsibility that the company survives larger incidents.