ISO 22301:2012 - Blog

What is ISO 22301:2012?

November 19th, 2019 Posted in ISO 22301

If disaster struck your business, could your business continue? If your warehouse caught fire and you lost all your stock, if ransomware locked up all your systems or your premises were attacked by storm troopers like Lego man here, do you have a business continuity plan at hand?  If not, or if you do but you’re not confident in it, you may want to consider implementing a Business Continuity Management System and if you’re really serious, you may want to consider ISO 22301:2012 certification.

“ISO 22301:2012 Societal Security – Business continuity management systems – Requirements”, to give it its full title, was published in 2012 and replaced the British Standard for Business Continuity Management BS 25999-2. It was the first internationally recognised business continuity management standard, and the first ISO standard to adopt Annex L (previously Annex SL) which provides a framework now common to all new management system standards published by ISO, the International Organisation for Standardisation.

The ISO framework ensures that key concepts such as organisational context, leadership, planning, support, operation, performance evaluation and continual improvement are systematically considered and addressed in the development of all ISO-based management systems, allowing an easier integration of multiple management systems within the same organisation.

Put simply, ISO 22301:2012 is the international standard that, beyond Annex L, sets generic requirements for the creation and maintenance of Business Continuity Management Systems (BCMS), ensuring that organisations, whatever their size and the industry within which they operate, have taken the necessary steps to protect themselves from business disruptions in the first instance, and to reduce the impact of such disruptions in the second. A considered level of preparedness will often result in improved customer confidence, increased competitive advantage and enhanced corporate reputation.

How can ISO 22301:2012 certification help your business?

The standard operates the Plan-Do-Check-Act principle by establishing, implementing and operating policies, controls, processes and procedures, monitoring and evaluating their effectiveness and improving them on a continual basis. Reference to ISO 22313:2014 is useful in that it provides guidance on the implementation of ISO 22301:2012.

The implementation of ISO 22301 addresses challenges and issues often encountered in the design and implementation of business continuity management systems. It helps in the understanding and assessment of the impact of disruptions to an organisation and its stakeholders over time through the identification of critical deliverables such as products and services and mandates management commitment in ensuring that the threats of disruption are identified and assessed and that mitigating actions are implemented in a timely manner.

What are the key elements of ISO 22301:2012?

ISO 22301:2012 offers an approach that reinforces the traditional business continuity cycle of activities by focusing on:

  • Setting policy and defining programme scope and objectives:
    • The business continuity policy, approved by a senior sponsor, will mandate the business continuity approach and priorities;
    • Business continuity objectives, consistent with the policy and aligned to the wider corporate objectives, will be ratified by senior management;
    • Objectives will vary from one organisation to another, depending on size, industry and geographical complexity;
    • SMART objectives (Specific, Measurable, Achievable, Relevant and Time-bound) will promote adherence to the principles of the standard, consistency of approach, and will ensure that business continuity activities are delivered according to an agreed, published and tracked timetable;
  • Appropriate governance:
    • Demonstrates management commitment through leadership from the top, embedding business continuity in the culture of the organisation and supporting the business continuity function in securing resources and in delivering its agreed schedule of activities;
    • Establishes clear roles, responsibilities and authorities;
    • Ensures business continuity controls are defined, approved, implemented and subsequently managed both efficiently and effectively; and,
    • Ensure that business continuity staff are trained, confident in their application of business continuity principles, and appropriately deployed;
  • Understanding the context of the organisation, with consideration to:
    • Cultural and geographical diversity;
    • Corporate roadmap and objectives;
    • Key business deliverables such as products and services; and
    • Key internal and external stakeholders, their needs and the expectations they place on the business;
  • A reliable Business Impact Analysis (BIA) process that will identify and agree:
    • The activities/business processes that underpin and support the organisation’s key business deliverables;
    • The impact over time of not performing these activities;
    • The dependencies of these activities on people and skills, technology and communications, facilities and geographical constraints, internal processes and suppliers;
  • Identifying and risk-assessing potential disruption threats, and determining and implementing commensurate risk treatment;
  • Defining and selecting realistic strategies based on the results of the Business Impact Analysis process to help the organisation:
    • Safeguard staff;
    • Protect its key activities;
    • Resume disrupted activities/business processes; and,
    • Formalise its Business Continuity Plan or Plans (BCP);
  • Establishing, implementing and maintaining procedures in support of the business continuity plan;
  • Creating an incident response structure that considers impacts of a disruption and establishes:
    • Business-relevant triggers;
    • Time-dependent escalation processes;
    • Communication protocols to staff, customers and suppliers;
    • Notification protocols to regulatory bodies;
    • Media (press) management;
    • Tactical and strategic responses; and,
    • The return to normal operations and incident closure;
      We have a detailed blog on creating your Incident Response Plan here.
  • Communicating the plans and procedures to relevant staff, delivering training where required, making sure staff are familiar with the business continuity policy and aware of their roles and responsibilities in the event of a business-impacting incident;
  • Validating that the Business Continuity plan is fit for purpose through testing all aspects of the plan with the aim to identify improvements:
    • Testing can be achieved via simulations or “real” exercises involving internal and external stakeholders;
    • Testing must consider all dependencies, including challenging whether the business continuity capability of suppliers can support the organisation’s own business continuity objectives;
  • Identifying and implementing improvements to the organisation’s business continuity methodology and supporting documentation.

Need help?

If you are implementing a Business Continuity Management System and are working towards ISO 22301 certification or are planning to do so in the future, we can help. Whether it’s just to steer you in the right direction, carry out a gap analysis or help you manage the full certification process, contact us.


Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.