What is ISO 22301? An Introduction to Business Continuity
Published: February 2nd, 2021
Author: Matt Quinn
Categories: ISO Risk Management
Interest in Business Continuity (BC) (and ISO 22301) has significantly increased over the past year. Take, for instance, search data from Google Trends for “business continuity”. (Trends is a tool that tracks the relative popularity of a search term. That is the ratio of a query’s search volume to the sum of the search volumes of all possible queries).
Between the 10/03/2019 and the 16/02/2020, the term had a mean weekly score of 28.88, with a high of 40. But by 23/02/2020 the term had climbed to a score of 45 up from 35 seven days before. A week later the score had jumped to 100.
The reason behind this dramatic rise is, of course, the COVID-19 pandemic. The spike in searches tracked the spread of the virus across Europe. As the number of cases in the UK began to rise, so too did the popularity of “Business Continuity” as a search term.
Tellingly, a number of related terms, including “Business Continuity Plan (BCP)” and “Business Continuity Plan Template” also saw increases. Suggesting some organisations were scrambling to get something in place rather quickly!
Almost a year since the start of the pandemic, interest in the topic remains strong. Suggesting that Business Continuity Planning/Management will become a more common feature of business as usual.
What is Business Continuity?
But what exactly is business continuity? The latest figures from ISO Survey shows that in 2018 there were only 1,506 valid ISO 22301 certificates worldwide. By comparison, ISO 9001 has 878,664, which suggests that business continuity is something of a niche field compared to quality management or information security (i.e. ISO 27001).
According to ISO 22301:2019 – which is the international standard for business continuity management – business continuity is defined as the:
“capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption”
In plain English, this can be taken to mean the ability of an organization to continue to operate (i.e. provide its products and services) during a disruption.
It is important to note that the disruption to your day to day business processes could be caused by a number of different things. A comprehensive approach to business continuity will consider how to respond in the event of a disaster, whatever the proximate cause.
This could be a natural disaster (e.g. fire, flood, earthquake) or major public health emergency. But it could also be something more common, like a cyber attack or a breakdown in your supply chain.
Accordingly, well prepared organizations’ disaster recovery planning efforts will have mitigating actions in place for a variety of different scenarios. For instance, to guard against the risk of cyber attacks an organization may have data backups in place, while to mitigate the risk of flooding you may have offsite storage for physical records.
The key thing is that your approached should be risk based, and your response plans should be commensurate with the (specific) potential threats your organization faces. For instance, if your office is situated on a flood plain it is vital that your bc plan address such. For organizations for whom flooding is not a significant risk, there is less need to plan mitigating action.
What is ISO 22301:2019 and how can it help my organization with business continuity?
Business continuity, as is hopefully clear, is concerned with controls/mitigating actions to enable your organization to continue to operate in spite of a disruption. You may already have a number of processes in place to help reduce the likelihood of and respond to disruptive incidents (although you may not think of them in terms of business continuity). Often this are called disaster recovery controls. E.g., if you store your documents in the cloud then these (usually speaking) backed up by the provider.
Furthermore, as the availability of information is a key information security tenet, many information security frameworks also have sections devoted to business continuity. IASME Governance, ISO 27001 and CIS 20 all address the topic.
However, if your organization is looking for a more comprehensive approach to business continuity, then ISO 22301 is an excellent start.
As mentioned above, ISO 22301:2019 (the most recent version) is the international standard for business continuity management.
The standard sets outs requirements to implement, maintain and continually improve a Business Continuity Management System (BCMS). This can be used to guard against, reduce the likelihood of, prepare for, respond to and recover from disruptive incidents (as mentioned above) when they take place.
Furthermore, as an ISO Management System Standard (ISO-MSS), ISO 22301 follow the High Level Structure. This means it can be integrated with other ISO-MSS (e.g. ISO 27001). This enables organisations to satisfied shared requirements ‘in one go’.
For example, organisations who are already ISO 27001 certified, could combine their information security risk register with their business continuity risk register. Creating one centralized record of their risks. (Organisations looking to get started with risk management can take advantage of our free template).
While you may already have some ad hoc measures in place, making sure that everybody is aware of your policies and that everyone follows them can be difficult.
With the ISO 22301 Standard, you have robust framework to help you define, monitor, review and update your business continuity processes. This can help ensure they are consistently applied.
There are a number of benefits associated with taking a systematic approach to business continuity. Some of the most common include:
– Increased efficiency with regards to decision making
– Improved organizational resilience (ensuring you can continue to deliver your products and services)
– Better organizational you can continue to deliver your products and services)
– Improved ability to respond to legislative requirements.
– A competitive advantage over non-ISO-certified companies.
Hopefully, the topic of business continuity is now a little clearer! In summary, it is best understood as the measures taken by an organization to ensure they can continue to operate ‘as normal’. Or at least as close to normal as it possible.
If you are looking to implement ISO 22301, or understand the current state of your bc controls, the first step is to perform a gap analysis. This will help you understand what needs to be done to conform to the standard in question. It will also reveal what you have already implemented, and what more you need to do.
To help with this, we have built an automated tool which can take you through the standards line by line. For more information, please visit our website or book a call with our Head of Operations at a time that suits you.