Simply put, here are 12 Steps that must be taken to align with ISO22301.
We use the word ‘align’ because it’s a term often used by those who have no intention of gaining certification but recognise the Standard. And, given the experience of those who certified to BS25999, only to find it being withdrawn much less than 10 years later, we suspect many of us fall into this category!
1. Management support. No change from BS25999 but there is more emphasis on this requirement. Management are also charged with reviewing the process regularly, so they (management) remain accountable.
2. Identification of requirements. This could be viewed as stakeholder management, which begins at the outset of the process. Stakeholders include regulators, shareholders, management, employees, suppliers, customers, the local community, and so on.
3. Business continuity policy & objectives. Like BS25999, it begins with a policy signed off at the very top of the organisation. But there is also a strong requirement for measurable objectives to be set. Expect the age old argument of measurable metrics v quality-based milestones to be raised many times over the next few years!
4. Support documents for management system. There is much more about management systems in ISO22301 than there was in BS25999. From business continuity, information security, quality management through environmental protection, there is a requirement to ensure the procedures are documented. The detail runs from version control through internal audit protocols and corrective action records.
5. Risk assessment & treatment. ISO22301 is much hotter on risk management than BS25999, requiring a much better tie-in with existing risk management standards. The aim, of course, being to understand and/or mitigate hazards that may cause business disruption if their risk status is siginificant.
6. Business impact analysis. No change here: the BIA takes centre stage as one of the most organisationally valuable (and often overlooked) parts of the business continuity process. The same terms from BS25999 are used: RTO, MTPD, etc.
7. Business continuity strategy. We’ve always thought of business continuity strategy as the clever work that needs to be undertaken in the process. While the pre-strategy BIA is all about establishing what needs to be done, and drafting the Plan is about writing clear instructions, this bit is all about creating the solutions to the potential problems identified in the BIA, or arranging for someone on high to understand and accept the risk of not creating a solution (which is a perfectly acceptable arrangement in many cases).
8. Business continuity plan. This is not new. Those who aligned with BS25999 can probably do this without even bothering to read the section in the new Standard… though it never hurts to check for yourself!
9. Training & awareness. Again, this was covered in BS25999 but there is much more emphasis here on organisation-wide training, and bringing third parties in where appropriate. After all, it’s not a plan unless everyone in the process knows and understands it to be th plan.
10. Documentation maintenance. We’ve all seen the beautiful business continuity plan that someone wrote a few years ago, that other people ignored, that is now stuck on a shelf with virtually no one knowing what it says inside. We’ve also all seen lovely plans that have names of people who moved on a year ago and phone numbers that haven’t worked in months. Out of date documents aren’t plans: they’re old documents.
11. Exercising & testing. Our favourite part of the process is rehearsing (we at Continuity In Business strongly advocate doing this even before there’s a plan in place – it’s a great way to bring interested parties into the process – you’d be surprised how much help can be offered at the end of a great exercise!). Plans aren’t valid until they’ve been sensibly tested. And full blown exercises need to involve everyone that is involved in the plan, including relevant suppliers and management! Again, this is nothing that BS25999 didn’t include, but there is more detail in ISO22301.
12. Post-incident reviews. An essential process that, in our opinion, should be extended to near-misses. This is nicely spelled out in ISO22201.
Subscribe - weekly news and a free course!