ISO 22301 - Implementing a Business Continuity Management System

J

JoLCS

#1
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
 
Elsmar Forum Sponsor
P

pldey42

#5
In my experience as a tutor and auditor of ISO 22301 BCM systems, it's vital to get the business impact analysis and risk assessment right. These activities identify and prioritize the key business processes that must be preserved through a disruptive incident, and risks that bear upon BC planning. It's important to understand that BC planning cannot be driven by risk assessment alone.

For example, electric power is an essential resource for most organizations. Whilst one could enumerate all the hazards that could interrupt power (power station runs out of coal, electric cables break, bill not paid, fuses blown by incompetent electrician, etc.) the impact of electric failure is that work stops. So we plan anyhow for electric failure, for example with supplies from two alternative power stations, uninterruptible power supplies, diesel generators and so forth. Risk analysis might tell us whether lightning is a significant threat and, if so, we might install lightening conductors - as well as the BC arrangements like backup generators. If you like, business continuity plans are for use when risk assessment and mitigation fail.

It's important also to understand that ISO 22301 doesn't talk of DR planning. Rather, it expects plans for (a) dealing with the immediate consequences of a disruptive incident, (b) plans for continuing vital processes while (c) longer term recovery plans restore things back to normal. Organizations differ in their understanding of what DR planning actually means, so the standard offers a common vocabulary - which avoids arguments by not using the DR term.

Another common error is to see BC planning as an IT issue. While IT is almost certainly involved, so too are people and operational processes. For example, if the call centre is essential, IT DR planning alone won't be enough. There must be plans for, e.g., firing up an alternative call centre location, for getting the right staff to it, and for providing them with food and drink.

While templates can be useful and are available from several vendors I think they have limited value because, as anyone with real experience of serious disruptive incidents knows, the key factors are the people on the ground dealing with the incident, its consequences, and maintaining service while recovery proceeds.

For example, while BP may have had templates in their BC plans for what executives should say in public, they didn't stop Tony Hayward making insensitive comments about his yachting vacation just after his company flooded the Gulf with oil.

And when the Costa Concordia sank off the coast of Italy having struck a rock its Captain reportedly said should not have been there, true leaders emerged such as the dancer who herded her allocated passengers together and timed the rate at which water was rising, watching the rescue boats, so she could tell her charges to swim if the boats didn't reach them in time - but they did, so her group survived. I think one learns that a critical element of BC planning is getting the right people leading aspects of incident management, and empowering them to make it up as they go along if necessary.

If an organization goes for formal certification to ISO 22301, the CB will expect a regular, planned exercise programme that demonstrates the system will likely work if called upon, and that leads to corrective actions and improvements in BC planning, including the BIA and risk assessment activities as appropriate. This is worth mentioning because many organizations find BC exercises expensive and disruptive and resist doing them properly. In my experience CBs may insist that some 66% of the system had been exercised by Stage 2 (and 33% by stage 1) - and that the results are being acted upon.

How seriously one takes all this depends upon the impact upon life and death of one's activities. BC planning is clearly more vital for a hospital than a fish and chip shop - except, for the latter, the business is mom and pop's livelihood, so they plan as much as they need to, e.g. so that they have sufficient power for the lights and fryers to feed the local community through a power cut.

Which raises another aspect: BC isn't just about survival, it can also bring competitive edge. If mom and pop can feed people fish 'n chips through a power outage, and the burger joint next door has its lights and fryers out, who wins more long term customers when power returns?

Here's some UK Government guidance that might be helpful:

https://www.gov.uk/resilience-in-so...ommunities-and-businesses#business-continuity

http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/

It refers in some places to BS 25999 which was ISO 22301's predecessor. In concept the two are similar; ISO 22301 benefitted from practical experience gained with BS 25999.

It helps, perhaps, to understand that BS 25999 was introduced here in the UK after we were hit hard by some major incidents. For example, in the 7/7 bombing incidents in London, the emergency services learned that (a) they had not prepared for several similar incidents at the same time (so the response to the second bomb was delayed because incident managers thought that the people calling it in were referring to the first bomb) and that (b) police, fire and ambulance services could not properly co-ordinate because their different radio systems could not inter-communicate. Thus, BS 25999 and now ISO 22301 were designed, not just to help organizations survive disruptive incidents but, with common vocabulary, concepts and processes, to co-ordinate joint planning, amongst organizations, especially in critical national infrastructure, hence the rather clumsy "societal security" terminology.

Hope this helps,
Pat
 
K

kukani41

#6
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
Hi

I have just created a similar business continuity management system. I have already carried out a business impact analysis and risk analysis. I have created the Business continuity plan and currently pulling together the IT recovery plan. However, I now have to come up with the testing exercises. So any help with pulling these together would be really helpful. Let me know what you need and I will try to help where I can.
 

Marc

Fully vaccinated are you?
Staff member
Admin
#7
It would be best to attach your related procedures if you want feedback on how to test them. Just a thought.
 

Richard Regalado

Trusted Information Resource
#8
Hello. The first step, as with most ISO-based management system standards, is to define your scope. The standard provides guidance in this regard:

1. Determine interested parties
2. Determine needs and expectations of the interested parties
3. Determine the context of the organization in relation to business continuity

Do the above and come up with a scope for your BCMS.
 
F

feldspath

#9
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
 
Last edited by a moderator:
#10
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
Hi Feldspath, welcome!

The use of such a software shouldn't really depend too much on the maturity of the BCMS. You can help it build what you have to have, for sure. You are correct, also, that the implementation IS like a project, so should be managed like one, too. Software for either is likely to be different, although the BCPS might have some PM aspects built in (I've not used it). PM software ISN'T going to be satisfactory for actually building an ISO 22301 BCMS, however.
 
Thread starter Similar threads Forum Replies Date
Richard Regalado ISO 22301:2019 has been published - Nov 2019 Business Continuity & Resiliency Planning (BCRP) 0
H Invalid ISO Standard / Guidelines - ISO 22301 BCMS and a local standard Various Other Specifications, Standards, and related Requirements 1
J Business Continuity - ISO 22301 BCMS Strategic and Tactical Objectives Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado Project Plan of New ISO 22301 BCMS Certified Company Business Continuity & Resiliency Planning (BCRP) 1
L Needed ISO 31000 And ISO 22301 Checklist Risk Management Principles and Generic Guidelines 2
Richard Regalado Sample Plan for Developing an ISO 22301 Business Continuity Management System (BCMS) Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado ISO 22301 was published 2012 May 15 - New Standard for BCM - Published! Business Continuity & Resiliency Planning (BCRP) 4
Edward Reesor ISO 19223 Discussion (Help) Other Medical Device Related Standards 1
chris1price MDSAP and ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
D ISO 13485 Contained NC ISO 13485:2016 - Medical Device Quality Management Systems 3
K Compliance Obligations 6.1.3 of ISO 14001 ISO 14001:2015 Specific Discussions 3
V EN ISO 10993-1, Category of surface device by nature of body contact Other Medical Device Related Standards 2
I Does BSI require suppliers to be ISO 9001 Certified? EU Medical Device Regulations 12
Ron Rompen ISO 9001 Sanctioned Interpretations and FAQs ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Ashland78 Need IATF 16949 ISO Gap Analysis Excel File Internal Auditing 3
Brizilla ISO 13485 for a Distributor ISO 13485:2016 - Medical Device Quality Management Systems 7
E Organisational Chart-ISO 17025 Laboratory ISO 17025 related Discussions 3
S Do ISO certs require an Apostille? ISO 13485:2016 - Medical Device Quality Management Systems 14
Q Harmonised Standards (EN ISO 13485 / EN ISO 14971) in MDR (2017/745/EU) ISO 13485:2016 - Medical Device Quality Management Systems 3
Sidney Vianna Informational ISO/CD 7101 Health Care Quality Management System Standard Hospitals, Clinics & other Health Care Providers 0
Fjalar ISO 20417:2021: Technical Data (6.6.4 c) Other Medical Device Related Standards 0
D Automotive Customer asking for ISO 14001 Certification from suppliers ISO 14001:2015 Specific Discussions 3
K Need Help With Auditing Suppliers Against ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 50
L PFMEA for test procedures (ISO 14971) ISO 14971 - Medical Device Risk Management 5
J ISO 13485- 8.3.1 Non-conforming material high volume ISO 13485:2016 - Medical Device Quality Management Systems 4
Q ISO 20417:2021- Regulatory Identification Other ISO and International Standards and European Regulations 2
L ISO/IEC 20000-6 Technical Areas IT (Information Technology) Service Management 0
R What are the new changes in EN ISO 11137-1:2015+A2:2019? Other Medical Device Related Standards 2
Y ISO 10993-14:2001 - Gel implants stored in glass syringes Other Medical Device Related Standards 1
eldercare Multi-Site ISO/AS Certification Requirement for some sites ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
Sidney Vianna ISO 14001 News ISO 14001 Continual Improvement Survey ISO 14001:2015 Specific Discussions 0
Casana ISO 17025 - Contractor certification? IATF 16949 - Automotive Quality Systems Standard 5
B Sanctioned interpretation #10 - ISO 17025 IATF 16949 - Automotive Quality Systems Standard 2
H Contract Manufacturer as Design Owner ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
G Compliance with ISO 9001-2015 for ISO 17025 Accredited Labs? ISO 17025 related Discussions 5
blackholequasar ISO 13485 certification prior to Medical Device Manufacturing... worth it? ISO 13485:2016 - Medical Device Quality Management Systems 4
C ISO 14001 Internal Audit - Opportunity for Improvement ISO 14001:2015 Specific Discussions 2
P ISO 11607-2 Process Specification Other Medical Device Related Standards 1
S Which ISO Standards to Purchase - EN ISO and/or ISO Other Medical Device Related Standards 1
A ISO Clause 4.1/4.2 & 6.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
S Electronic Signatures - Non-Conformance - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 30
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
B ISO 11197, Venting of Medical Supply Units - cl. 201.11.2.2.101 Other Medical Device Related Standards 2
D Management reviews ISO 17025 ISO 17025 related Discussions 3
L Change Log in (controlled) Forms? (ISO 9001:2015) Document Control Systems, Procedures, Forms and Templates 6
K ISO 9001 Clause 8.3 & 8.6 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
I ISO 17025:2017 / ANAB 3125 - Articulating / Communicating Risks vis-a-vis Audit Findings ISO 17025 related Discussions 2
A Management of change procedure for ISO 45001 Occupational Health & Safety Management Standards 5
S Transition training for Internal Auditor from ISO 9001: 2008 to the ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
D Notified Bodies - ISO 13485 & MDR Technical Files ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom