Business Continuity

Contingency planning and disaster recovery have been responses to natural disasters and terrorism that affect businesses. However, there was a recognition that businesses need to be prepared for many forms of disruption. This expanded discipline has become known as “business continuity management”.

As governments began to understand the role of business continuity in mitigating the effects of disruptive incidents on society, they sought assurance that the key players had business continuity arrangements in place. Similarly, businesses recognized their dependence on each other, and wanted assurance that key suppliers and partners would be able to still provide key products and services.

BS 25999-2 was introduced in the UK in 2007 to provide a management system standard to which organizations could obtain accredited certification. More recently, ISO 22301:2012, Societal Security – Business Continuity Management Systems – Requirements, was published. ISO 22301 includes concise requirements that describe the central elements of business continuity management.

Certification to ISO 22301 will demonstrate to legislators, regulators, customers, and other interested parties that your organization is adhering to good business continuity practices. A more extensive guidance standard, ISO 22313, is being developed to provide greater detail on each requirement in ISO 22301.

ISO 22301 uses the new high-level clause structure and common text agreed to for all new management system standards (which will include the new ISO 9001 and ISO 14001 editions planned for 2015).

1. Scope
2. References
3. Terms and Definitions
4. Context of the Organization
5. Leadership
6. Planning
7. Support
8. Operations
9. Evaluation
10. Improvement

For more information on ISO 22301, and an overview of the requirements in clauses 4 through 10, see the Business Continuity article in the June 2012 issue of ISO Focus+.

ISO 22301 was developed by ISO Technical Committee 223, Societal Security. They develop standards for protection of society from, and in response to, incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural disasters, and technical failures.

In addition to ISO 22301, the committee has published these Societal Security standards:

ISO 22300:2012, Terminology
ISO 22320:2011, Emergency Management – Requirements for Incident Response
ISO/TR 22312:2011, Technological Capabilities
ISO/PAS 22399:2007, Guideline for Incident Preparedness and Operational Continuity Management

The following Societal Security standards are under development:

ISO 22311, Video-Surveillance – Export Interoperability
ISO 22313, Business Continuity Management – Guidance
ISO 22315, Mass Evacuation
ISO 22322, Emergency Management – Public Warning
ISO 22324, Emergency Management – Color-Coded Alert
ISO 22325, Guidelines for Emergency Management Capability Assessment for Organizations
ISO 22351, Emergency Management – Shared Situation Awareness
ISO 22397, Public Private Partnership – Guidelines to Set Up Partnership Agreements
ISO 22398, Guidelines for Exercises and Testing