ISO 22301 - Implementing a Business Continuity Management System

J

JoLCS

#1
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
 
P

pldey42

#5
In my experience as a tutor and auditor of ISO 22301 BCM systems, it's vital to get the business impact analysis and risk assessment right. These activities identify and prioritize the key business processes that must be preserved through a disruptive incident, and risks that bear upon BC planning. It's important to understand that BC planning cannot be driven by risk assessment alone.

For example, electric power is an essential resource for most organizations. Whilst one could enumerate all the hazards that could interrupt power (power station runs out of coal, electric cables break, bill not paid, fuses blown by incompetent electrician, etc.) the impact of electric failure is that work stops. So we plan anyhow for electric failure, for example with supplies from two alternative power stations, uninterruptible power supplies, diesel generators and so forth. Risk analysis might tell us whether lightning is a significant threat and, if so, we might install lightening conductors - as well as the BC arrangements like backup generators. If you like, business continuity plans are for use when risk assessment and mitigation fail.

It's important also to understand that ISO 22301 doesn't talk of DR planning. Rather, it expects plans for (a) dealing with the immediate consequences of a disruptive incident, (b) plans for continuing vital processes while (c) longer term recovery plans restore things back to normal. Organizations differ in their understanding of what DR planning actually means, so the standard offers a common vocabulary - which avoids arguments by not using the DR term.

Another common error is to see BC planning as an IT issue. While IT is almost certainly involved, so too are people and operational processes. For example, if the call centre is essential, IT DR planning alone won't be enough. There must be plans for, e.g., firing up an alternative call centre location, for getting the right staff to it, and for providing them with food and drink.

While templates can be useful and are available from several vendors I think they have limited value because, as anyone with real experience of serious disruptive incidents knows, the key factors are the people on the ground dealing with the incident, its consequences, and maintaining service while recovery proceeds.

For example, while BP may have had templates in their BC plans for what executives should say in public, they didn't stop Tony Hayward making insensitive comments about his yachting vacation just after his company flooded the Gulf with oil.

And when the Costa Concordia sank off the coast of Italy having struck a rock its Captain reportedly said should not have been there, true leaders emerged such as the dancer who herded her allocated passengers together and timed the rate at which water was rising, watching the rescue boats, so she could tell her charges to swim if the boats didn't reach them in time - but they did, so her group survived. I think one learns that a critical element of BC planning is getting the right people leading aspects of incident management, and empowering them to make it up as they go along if necessary.

If an organization goes for formal certification to ISO 22301, the CB will expect a regular, planned exercise programme that demonstrates the system will likely work if called upon, and that leads to corrective actions and improvements in BC planning, including the BIA and risk assessment activities as appropriate. This is worth mentioning because many organizations find BC exercises expensive and disruptive and resist doing them properly. In my experience CBs may insist that some 66% of the system had been exercised by Stage 2 (and 33% by stage 1) - and that the results are being acted upon.

How seriously one takes all this depends upon the impact upon life and death of one's activities. BC planning is clearly more vital for a hospital than a fish and chip shop - except, for the latter, the business is mom and pop's livelihood, so they plan as much as they need to, e.g. so that they have sufficient power for the lights and fryers to feed the local community through a power cut.

Which raises another aspect: BC isn't just about survival, it can also bring competitive edge. If mom and pop can feed people fish 'n chips through a power outage, and the burger joint next door has its lights and fryers out, who wins more long term customers when power returns?

Here's some UK Government guidance that might be helpful:

https://www.gov.uk/resilience-in-so...ommunities-and-businesses#business-continuity

http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/

It refers in some places to BS 25999 which was ISO 22301's predecessor. In concept the two are similar; ISO 22301 benefitted from practical experience gained with BS 25999.

It helps, perhaps, to understand that BS 25999 was introduced here in the UK after we were hit hard by some major incidents. For example, in the 7/7 bombing incidents in London, the emergency services learned that (a) they had not prepared for several similar incidents at the same time (so the response to the second bomb was delayed because incident managers thought that the people calling it in were referring to the first bomb) and that (b) police, fire and ambulance services could not properly co-ordinate because their different radio systems could not inter-communicate. Thus, BS 25999 and now ISO 22301 were designed, not just to help organizations survive disruptive incidents but, with common vocabulary, concepts and processes, to co-ordinate joint planning, amongst organizations, especially in critical national infrastructure, hence the rather clumsy "societal security" terminology.

Hope this helps,
Pat
 
K

kukani41

#6
Hi,

I`m getting ready to start creating a business continuity management system which would be at the ISO 22301 standard. I have to come up with a BC (business continuity) and a DR (disaster recovery) plan, create an internal BC&DR audit, have a BC exercise in place (logged in the internal audit), and so on. I'm fairly new with this particular standard, so I was hoping I can find someone who could provide me some templates, but most of all any advice on this topic. Any inputs about this would be very much appreciated :bonk:
Thank you
:eek:
Hi

I have just created a similar business continuity management system. I have already carried out a business impact analysis and risk analysis. I have created the Business continuity plan and currently pulling together the IT recovery plan. However, I now have to come up with the testing exercises. So any help with pulling these together would be really helpful. Let me know what you need and I will try to help where I can.
 

Marc

Fully vaccinated are you?
Staff member
Admin
#7
It would be best to attach your related procedures if you want feedback on how to test them. Just a thought.
 

Richard Regalado

Trusted Information Resource
#8
Hello. The first step, as with most ISO-based management system standards, is to define your scope. The standard provides guidance in this regard:

1. Determine interested parties
2. Determine needs and expectations of the interested parties
3. Determine the context of the organization in relation to business continuity

Do the above and come up with a scope for your BCMS.
 
F

feldspath

#9
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
 
Last edited by a moderator:
#10
Is the beginning of an ISO 22301 project the right time to use such softwares (Business Continuity Planning Suite for instance) or must the business acquire a certain maturity in business continuity before moving towards the use of softwares? Also since undertaking a certification is akin to a project, why not use project management software?
Hi Feldspath, welcome!

The use of such a software shouldn't really depend too much on the maturity of the BCMS. You can help it build what you have to have, for sure. You are correct, also, that the implementation IS like a project, so should be managed like one, too. Software for either is likely to be different, although the BCPS might have some PM aspects built in (I've not used it). PM software ISN'T going to be satisfactory for actually building an ISO 22301 BCMS, however.
 
Thread starter Similar threads Forum Replies Date
Richard Regalado ISO 22301:2019 has been published - Nov 2019 Business Continuity & Resiliency Planning (BCRP) 0
H Invalid ISO Standard / Guidelines - ISO 22301 BCMS and a local standard Various Other Specifications, Standards, and related Requirements 1
J Business Continuity - ISO 22301 BCMS Strategic and Tactical Objectives Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado Project Plan of New ISO 22301 BCMS Certified Company Business Continuity & Resiliency Planning (BCRP) 1
L Needed ISO 31000 And ISO 22301 Checklist Risk Management Principles and Generic Guidelines 2
Richard Regalado Sample Plan for Developing an ISO 22301 Business Continuity Management System (BCMS) Business Continuity & Resiliency Planning (BCRP) 3
Richard Regalado ISO 22301 was published 2012 May 15 - New Standard for BCM - Published! Business Continuity & Resiliency Planning (BCRP) 2
A ISO 9001 Internal Audits - No production right now due to furloughs Internal Auditing 3
D Question on Documented Calibration versus ISO 17025 Accredited Calibration ISO 13485:2016 - Medical Device Quality Management Systems 0
M Customer Property - ISO 13485:2016 Clause 7.5.10 ISO 13485:2016 - Medical Device Quality Management Systems 9
pbojsen ISO 13485 Requirements versus FDA product classification and GMP exemptions - Audits ISO 13485:2016 - Medical Device Quality Management Systems 3
D "certified" in ISO 19011, as well as IATF required? IATF 16949 - Automotive Quality Systems Standard 4
S ISO/IEC 15408 - Is this is Certifiable Standard? Other ISO and International Standards and European Regulations 2
D Lead time to schedule an ISO 13485 audit Auditing Quality and Environmental Management Systems 2
T Do we need an SOP for ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
K ISO 9001 Auditing in a Healthcare setting Auditing Quality and Environmental Management Systems 15
S Does anyone have a checklist to prepare for ISO 13485, Stage I audit? ISO 13485:2016 - Medical Device Quality Management Systems 1
H QMS ISO 13485:2016 - ISO14971 IEC60304 etc ISO 13485:2016 - Medical Device Quality Management Systems 2
Y How can i integrate ISO 13845 into ISO 27001? ISO 13485:2016 - Medical Device Quality Management Systems 4
vickyva ISO 14155:2020 CIP CIR templates Other Medical Device Related Standards 0
C ISO 9001:2015 8.3.2. h) Design and Development Planning - What is required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
B Employee Handbook in ISO 9001:2015 Section 7 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
B Operational Procedures for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 7
Q ISO 9001/IATF 16949 Audit Finding Question - Document Retention IATF 16949 - Automotive Quality Systems Standard 10
D ISO 14971 applicability in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
G Trying to get a financially reasonable ISO Certification Body Registrars and Notified Bodies 8
L ISO 45001:2018 - Clause 5.4: Consultation and Participation of Workers Process Maps, Process Mapping and Turtle Diagrams 1
E ISO 13485 in Clinical Trial conduct: Applicable or No ISO 13485:2016 - Medical Device Quality Management Systems 2
G ISO 13485 Certification - Can we get the ISO 13485 certification prior to shipment of the device? ISO 13485:2016 - Medical Device Quality Management Systems 6
Richard Regalado Informational ISO/IEC DIS 27001:2021, to be published soon. IEC 27001 - Information Security Management Systems (ISMS) 0
Q Audit report template ISO 9001/14001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
N Does anyone use SGS for ISO 13485 / CE certification Registrars and Notified Bodies 0
Q Process matrix examples of ISO 9001 & 14001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Need ISO 15189:2012 Documentation toolkit. Document Control Systems, Procedures, Forms and Templates 0
chris1price Archiving of paper records - ISO 9001 7.5.3.1b Records and Data - Quality, Legal and Other Evidence 4
M Transferring ISO 17025 from one company to another ISO 17025 related Discussions 1
D Common practices in ISO 9001 deployment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Label Making & Printing Standards ISO / ASTM ISO 13485:2016 - Medical Device Quality Management Systems 5
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance document to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
Q Do these certificates of calibration meet ISO 9001 requirements for traceability to NIST? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
S ISO 2768-mk print call out Other ISO and International Standards and European Regulations 11
T ISO 17024, clauses 4.3.8. and 5.1.1. Other ISO and International Standards and European Regulations 4
C ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
C Requirement to link Quality Manual to ISO 9001 clause numbers? ISO 13485:2016 - Medical Device Quality Management Systems 13
D ISO 13485 scope (implantable) - Polymers for dental application EU Medical Device Regulations 9
W First time being audited (ISO 9001), asking for advice ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9

Similar threads

Top Bottom