What is ISO 22301?

ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements

ISO 22301 is a management system standard that sets out the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve business delivery of products and services after occurrence of disruptive events (i.e. natural disasters, man-made disasters, pandemics). 

The goal of ISO 22301 is to ensure that, in the event of an emergency, many businesses and organizations will have the ability to mitigate damage and continue operating. ISO 22301 is the international standard for Business Continuity Management (also known as BCM). 

Overall, ISO 22301:2019 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive events. The standard provides a practical framework for setting up and managing an effective business continuity management system. The standard aims to protect an organization from a wide range of potential threats, disruptions and unpredictable events.

Structure of ISO 22301:2019 

Similar to other management system standards by ISO, the requirements specified in ISO 22301 are generic and intended to be applicable to all organizations, regardless of type, size, and industry. However, the extent of applicability of the requirements depends on the organization’s environment and complexity. ISO 22301 is divided into 10 main clauses and has adopted the high-level structure and standardized text set out by Annex L.

As most other ISO standards, ISO 22301 is broken down into these 10 clauses, of which 4-10 contain the actual requirements: 

1. Scope
2. Normative references
3. Terms and definitions
4. Context
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

Since the structure of ISO 22301 is the same as ISO 9001, ISO 14001, ISO/IEC 27001 and other standards, this helps create a consistency, allowing organizations to more easily integrate several management systems. This can help organizations improve efficiency, eliminate duplication and achieve cost savings.

Relationship between ISO 27001 and ISO 22301

ISO 27001 and ISO 22301 are fully compatible standards. ISO 27001 defines information security management, which includes business continuity management. However, ISO 27001 does not describe how business continuity management should be implemented. This is where ISO 22301 plays an important role. ISO 22301 gives structure and requirements for implementing a business continuity plan, so it is best to use ISO 22301 for this purpose. In addition, ISO 27001 and ISO 22301 contain elements that are almost identical, including: documentation management, internal audits, management review, corrective and preventive actions), allowing for ease of implementation.

Benefits of ISO 22301:2019

Overall, the standard was created to provide a proactive approach to help organizations respond to and recover from unexpected and disruptive events. What may be less obvious is that 22301 is also beneficial by demonstrating to stakeholders that your organization has a set process in place to quickly overcome operational disruptions and provide continual and effective service. 

An additional benefit of ISO 22301 is that the standard complies with legal requirements. 

Each year more countries define laws and regulations around business continuity management. Not only do governments have an interest in organization’s BCM, but private businesses (such as financial institutions) are also requiring their clients, suppliers, and partners to have a BCM. ISO 22301 is a globally recognized standard that in addition to its own requirements, also requires organizations to follow federal, state and local regulations, hence why most organizations have chosen ISO 22301 as their BCM. 

Marketing is another benefit of ISO 22301. Globally BCM requirements greatly vary, but when you decide to implement ISO 22301 it allows you to advertise to the world that your organization has met a global standard. Additionally, if you are ISO 22301 certified and your competitors are not, this will give you the upperhand. Being ISO 22301 compliant allows you to ensure any interested parties that even in times of trouble you will be able to continue your operations and deliver products and/or services. 

Another great benefit of ISO 22301 is reducing dependence on individuals. Oftentimes, critical components of a business rely on a single person or a small group of people. This can be problematic if there is turnover within the company. When ISO 22301 is implemented into a company it creates universal responsibility and requires thorough documentation. This moves the responsibility to an organization as a whole and allows smoother training and awareness for newcomers.

Preventing large-scale damage is another benefit. In a world that operates in real-time services and transactions, even a few hours of down service will cost your organization money. Even in less time-sensitive businesses – any disruptive incidents will be costly. When you implement ISO 22301 you will have a system that helps both prevent disruptive incidents from happening and allows you to recover faster. 

As legislation around the world continues to require emergency planning responsibilities for organizations, it becomes more imperative that your organization has a BCM in place. As a result, ISO 22301 certification should be considered essential to any organization legally required to engage in contingency planning, including utilities, transport, health and essential public services. Whether you are required by law to have a BCM or not, ISO 22301 certification will help your organization develop resiliency, improve risk management and will help save your organization money and time.