The International Organization for Standardization (ISO) publishes ISO 22301 business continuity management systems, an international standard that outlines how to manage business continuity within an organization. The greatest framework for managing business continuity in an organization is provided by the standard, which was authored by top professionals in the field. Business continuity management is defined by ISO 22301 as a component of an organization’s total risk management, with some overlap with information security and IT management. To demonstrate the company’s compliance with partners, owners, and other stakeholders, implementation and ISO 22301 certification are helpful. Additionally, ISO 22301 facilitates the acquisition of new clients by simplifying the process of proving superiority in the field.
The most recent revision of ISO 22301 was released in October 2019. ISO 22301:2012, which was created using the British standard BS 25999-2, has been replaced by ISO 22301:2019. Although there are not many significant changes in this 2019 revision, there is more flexibility and less prescriptiveness, which will benefit both businesses and their clients. There are eleven sections or clauses in the ISO 22301 standard. Clauses 0 to 3 are introductory (and are not required for implementation), whereas the important clauses (from 4 to 10) are mandatory – that is, all of their requirements must be implemented in an organization if it wishes to be compatible with the standard.
Before beginning the ISO 22301 implementation project, the organization must determine how to assign the business continuity task to the various departments, business units, and processes. Even with 50 workers, it would be challenging to design a single business continuity plan that included the specific recovery procedures for both your marketing and IT departments or to do a single business impact study for the entire organization at once. For precisely this reason, firms are required by ISO 22301 to segment their businesses into these kinds of operations. You can use one of these two methods to segment your business into different activities:
- Organize your tasks according to processes
- Organize your activities on divisions within the organization.
So, let’s first understand the process-based activities: With this option, the organization have to list their processes, and each of these processes becomes an activity in terms of BCMS.
For example, if a company is a law firm, the process of representing the clients in divorce cases is considered an activity. Such a process probably includes not only the lawyers who work on such cases but also the couriers who handle the mail, administrative personnel who handle the phone calls and correspondence, etc. For each such process, you have to perform business impact analysis and risk assessment, develop the strategy, and write the recovery plan. You can also consider a set of related processes as a single activity, using the law firm as an example, a single activity could include processes related to all types of law practice – not only family law but also intellectual property law, tax law, corporate law, etc. The advantage of this process-based approach is that it is easier to understand activities in terms of the ISO 22301 definition of activity in the ISO 22301 documents, and if individuals already have such processes documented, it might be easier to analyse them.
Let’s now better understand department-based activities – the strategy in which activities are split based on organizational units. This is how a company can ensure that each employee reads only one plan when it is required. In a law firm, this means that the legal department is one activity, the finance department is another, the general affairs department (which includes couriers and administrative people) is another, and so on. The biggest downside of this strategy is that it is impossible to quantify all of the effects during a business impact analysis (BIA) if the organization do not know where the process begins and finishes; this is why BIA requires extensive cross-departmental communication and coordination. The second issue is that recovery plans only cover parts of numerous processes, which means the organization must describe exactly which inputs you need and from whom, as well as when and to whom you need to deliver the outputs, otherwise organization plans will fail.
This department-based approach to activities is permitted under ISO 22301 since it enables activities to be a group of processes, and departments are frequently nothing more than collections of smaller processes. This is also supported by practice, where certifying bodies permit this technique.