How to protect your business from the worst – ISO 22301

Managing risks such as cyber-attacks means organisations need effective BCM (business continuity management) plans to help them quickly recover from any event.

The international standard ISO 22301:2012 provides a best-practice framework for implementing an optimised Business Continuity Management System (BCMS). This helps organisations to minimise business disruption and continue operating in the event of an incident.

An ISO 22301-aligned BCMS will include disaster recovery and business continuity plans. This can help your organisation recover critical operations as quickly as possible.

What are the benefits to my organisation by implementing a BCMS?

Implementing a BCMS includes the development of business continuity plans, taking into account organisational contingencies and capabilities, as well as the organisation’s individual business needs. ISO 22301 provides the specification for a best-practice BCMS. When it comes to completing tender applications, having a robust Business Continuity Management System in place, can also assist in elevating your submission above your competitors. It can also help you win valuable work.

Tenders

Recent tenders from the likes of banking organisations such as BNP Paribas, outlined that tendering contractors had to have a BCMS to the requirements of ISO 22301 in place. When an organization becomes certified by an accredited certification body, it will be able to prove its compliance to its customers, partners, owners and other stakeholders, therefore assisting to improve its tender chances. Certification can also assist in controlling insurance premiums for organisations.

When implemented properly, business continuity management will decrease the possibility of a disruptive incident, and if such incident does occur, an organization will be ready to respond in an appropriate way, thus drastically decreasing the potential damage of such incident.

Any organization can implement ISO 22301 – large or small, for profit or non-profit, private or public. The standard is conceived in such a way that it is applicable to any size or type of organization.

How does a BCMS fit into my organisation?

Business continuity is part of overall risk management in a company, with areas that overlap with information security management and IT management. Here are some of the commonly used terms associated with this;

Business Continuity Management System (BCMS) – part of an overall management system that makes sure business continuity is planned, implemented, maintained, and continually improved
Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)
Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered
Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored
Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations

How ISO 22301 Helps

It needs you to consider interested parties affected by the BCMS and their requirements
It defines acceptable timescales for resumption of activities for both you and your parties
Enables you to consider the impact of risks facing your organisation
Requires you to implement and maintain BC plans, helping you better manage disruptive incidents and continue activities
It requires you to carry out regular risk assessments, including those affecting interested parties and the wider community