ISO 22301 - Implementing a Business Continuity Management System

J

JoLCS

#1
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
 
Elsmar Forum Sponsor
P

pldey42

#5
In my experience as a tutor and auditor of ISO 22301 BCM systems, it's vital to get the business impact analysis and risk assessment right. These activities identify and prioritize the key business processes that must be preserved through a disruptive incident, and risks that bear upon BC planning. It's important to understand that BC planning cannot be driven by risk assessment alone.

For example, electric power is an essential resource for most organizations. Whilst one could enumerate all the hazards that could interrupt power (power station runs out of coal, electric cables break, bill not paid, fuses blown by incompetent electrician, etc.) the impact of electric failure is that work stops. So we plan anyhow for electric failure, for example with supplies from two alternative power stations, uninterruptible power supplies, diesel generators and so forth. Risk analysis might tell us whether lightning is a significant threat and, if so, we might install lightening conductors - as well as the BC arrangements like backup generators. If you like, business continuity plans are for use when risk assessment and mitigation fail.

It's important also to understand that ISO 22301 doesn't talk of DR planning. Rather, it expects plans for (a) dealing with the immediate consequences of a disruptive incident, (b) plans for continuing vital processes while (c) longer term recovery plans restore things back to normal. Organizations differ in their understanding of what DR planning actually means, so the standard offers a common vocabulary - which avoids arguments by not using the DR term.

Another common error is to see BC planning as an IT issue. While IT is almost certainly involved, so too are people and operational processes. For example, if the call centre is essential, IT DR planning alone won't be enough. There must be plans for, e.g., firing up an alternative call centre location, for getting the right staff to it, and for providing them with food and drink.

While templates can be useful and are available from several vendors I think they have limited value because, as anyone with real experience of serious disruptive incidents knows, the key factors are the people on the ground dealing with the incident, its consequences, and maintaining service while recovery proceeds.

For example, while BP may have had templates in their BC plans for what executives should say in public, they didn't stop Tony Hayward making insensitive comments about his yachting vacation just after his company flooded the Gulf with oil.

And when the Costa Concordia sank off the coast of Italy having struck a rock its Captain reportedly said should not have been there, true leaders emerged such as the dancer who herded her allocated passengers together and timed the rate at which water was rising, watching the rescue boats, so she could tell her charges to swim if the boats didn't reach them in time - but they did, so her group survived. I think one learns that a critical element of BC planning is getting the right people leading aspects of incident management, and empowering them to make it up as they go along if necessary.

If an organization goes for formal certification to ISO 22301, the CB will expect a regular, planned exercise programme that demonstrates the system will likely work if called upon, and that leads to corrective actions and improvements in BC planning, including the BIA and risk assessment activities as appropriate. This is worth mentioning because many organizations find BC exercises expensive and disruptive and resist doing them properly. In my experience CBs may insist that some 66% of the system had been exercised by Stage 2 (and 33% by stage 1) - and that the results are being acted upon.

How seriously one takes all this depends upon the impact upon life and death of one's activities. BC planning is clearly more vital for a hospital than a fish and chip shop - except, for the latter, the business is mom and pop's livelihood, so they plan as much as they need to, e.g. so that they have sufficient power for the lights and fryers to feed the local community through a power cut.

Which raises another aspect: BC isn't just about survival, it can also bring competitive edge. If mom and pop can feed people fish 'n chips through a power outage, and the burger joint next door has its lights and fryers out, who wins more long term customers when power returns?

Here's some UK Government guidance that might be helpful:

https://www.gov.uk/resilience-in-so...ommunities-and-businesses#business-continuity

http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/

It refers in some places to BS 25999 which was ISO 22301's predecessor. In concept the two are similar; ISO 22301 benefitted from practical experience gained with BS 25999.

It helps, perhaps, to understand that BS 25999 was introduced here in the UK after we were hit hard by some major incidents. For example, in the 7/7 bombing incidents in London, the emergency services learned that (a) they had not prepared for several similar incidents at the same time (so the response to the second bomb was delayed because incident managers thought that the people calling it in were referring to the first bomb) and that (b) police, fire and ambulance services could not properly co-ordinate because their different radio systems could not inter-communicate. Thus, BS 25999 and now ISO 22301 were designed, not just to help organizations survive disruptive incidents but, with common vocabulary, concepts and processes, to co-ordinate joint planning, amongst organizations, especially in critical national infrastructure, hence the rather clumsy "societal security" terminology.

Hope this helps,
Pat
 
K

kukani41

#6
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
Hi

I have just created a similar business continuity management system. I have already carried out a business impact analysis and risk analysis. I have created the Business continuity plan and currently pulling together the IT recovery plan. However, I now have to come up with the testing exercises. So any help with pulling these together would be really helpful. Let me know what you need and I will try to help where I can.
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#7
It would be best to attach your related procedures if you want feedback on how to test them. Just a thought.
 

Richard Regalado

Trusted Information Resource
#8
Hello. The first step, as with most ISO-based management system standards, is to define your scope. The standard provides guidance in this regard:

1. Determine interested parties
2. Determine needs and expectations of the interested parties
3. Determine the context of the organization in relation to business continuity

Do the above and come up with a scope for your BCMS.
 
F

feldspath

#9
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
 
Last edited by a moderator:
#10
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
Hi Feldspath, welcome!

The use of such a software shouldn't really depend too much on the maturity of the BCMS. You can help it build what you have to have, for sure. You are correct, also, that the implementation IS like a project, so should be managed like one, too. Software for either is likely to be different, although the BCPS might have some PM aspects built in (I've not used it). PM software ISN'T going to be satisfactory for actually building an ISO 22301 BCMS, however.
 
Thread starter Similar threads Forum Replies Date
Richard Regalado ISO 22301:2019 has been published - Nov 2019 Business Continuity & Resiliency Planning (BCRP) 0
H Invalid ISO Standard / Guidelines - ISO 22301 BCMS and a local standard Various Other Specifications, Standards, and related Requirements 1
J Business Continuity - ISO 22301 BCMS Strategic and Tactical Objectives Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado Project Plan of New ISO 22301 BCMS Certified Company Business Continuity & Resiliency Planning (BCRP) 1
L Needed ISO 31000 And ISO 22301 Checklist Risk Management Principles and Generic Guidelines 2
Richard Regalado Sample Plan for Developing an ISO 22301 Business Continuity Management System (BCMS) Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado ISO 22301 was published 2012 May 15 - New Standard for BCM - Published! Business Continuity & Resiliency Planning (BCRP) 2
D ISO 9001 certificate issued by QMS International for 10 years - legit? Registrars and Notified Bodies 7
Z Does anyone have experience with EN ISO 17664 ? IEC 62366 - Medical Device Usability Engineering 2
K Medical Device Repairs and ISO Scope ISO 13485:2016 - Medical Device Quality Management Systems 3
K Software Updates in the Field and ISO scope ISO 13485:2016 - Medical Device Quality Management Systems 0
M ISO 13485-2016 online certification ISO 13485:2016 - Medical Device Quality Management Systems 1
Z Auditor Findings ISO 14001:2015 vs. 45001:2015 ISO 14001:2015 Specific Discussions 5
S Thoughts on managing ISO 9001, 13485, IATF 16949 and 17025 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
C ISO/IEC 17021-1 clause 7.1.2 - Determination of competence criteria Document Control Systems, Procedures, Forms and Templates 2
G ISO 17023 2017-11 - Suggestions for good books ISO 17025 related Discussions 0
B Timeframe for updating QMS / transitioning from ISO 14971:2012 to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
M ISO 9001:2015 and AS6081:2012 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
B Gage calibration frequency, ISO and IATF - What are the requirements Calibration Frequency (Interval) 3
M FDA News FDA Releases Draft Guidance Clarifying Application of ISO 10993-1 Biocompatibility Standard Medical Device and FDA Regulations and Standards News 0
C Implementation ISO 9001: 2015 ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
J Possible to get ISO 13485 certified with only OEM Product? ISO 13485:2016 - Medical Device Quality Management Systems 4
D ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks" ISO 14971 - Medical Device Risk Management 2
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
L Biological Assessment (ISO 10993-1) Other Medical Device Related Standards 1
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
eule del ayre Documented Information - Periodic Review of Documents? IATF 16949:2016 / ISO 9001:2015 IATF 16949 - Automotive Quality Systems Standard 34
J ISO 9001:2015, ISO 14001 & OHSAS18000 (IMS) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
G ISO 14001 - 6.1.3 Compliance Obligations ISO 14001:2015 Specific Discussions 1
D Rules for Paper Forms outside of an eQMS - 3 Questions (ISO 13485) Document Control Systems, Procedures, Forms and Templates 9
S Qualification question - ISO 13485 Reliability Analysis - Predictions, Testing and Standards 0
K ISO 13485 clause 8.5.2 'Any necessary CA shall be taken without undue delay' ISO 13485:2016 - Medical Device Quality Management Systems 11
Aymaneh ISO 11607-1: 2019 main changes Other Medical Device Related Standards 2
G National Structural Steel Specification 7th Edition - Do I now have to be audited against ISO 3843-3 as well as ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
J How much to charge for helping a startup company with initial ISO 13485 certification? Consultants and Consulting 3
J ISO 13485 System 'soft start' - How to best reflect this in initial audits, management review minutes and other records? ISO 13485:2016 - Medical Device Quality Management Systems 3
L How to understand the clause 6 Planning of ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
D ISO 13485 - 7.3.6 Design and development verification - Do most folks create a separate SOP? ISO 13485:2016 - Medical Device Quality Management Systems 4
B ISO 8536-4 Contamination Index ISO 13485:2016 - Medical Device Quality Management Systems 0
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
L Process changes and biocompatibility (ISO 10993-1) Other Medical Device Related Standards 1
J Recommendations for online ISO 19011 training? Training - Internal, External, Online and Distance Learning 6
D ISO 13485 8.2.1 and 8.2.2 - Customer Feedback and Customer Complaints ISO 13485:2016 - Medical Device Quality Management Systems 5
S Requirements to obtain ISO 50001 Certification ISO 14001:2015 Specific Discussions 2
A ISO 11135:2014, B.1.4, BI resistance x product bioburden ISO 13485:2016 - Medical Device Quality Management Systems 6
Sravan Manchikanti How to interpret '8.3 Control of nonconforming product' for SaMD device while implementing ISO 13485 & MDSAP ISO 13485:2016 - Medical Device Quality Management Systems 4
J Sister-company providing parts is only ISO 9001 registered IATF 16949 - Automotive Quality Systems Standard 7

Similar threads

Top Bottom