cybersecurity and encryption
ISO 22301 Standard
Cyber-attacks, pandemics, heavy snowfalls, computer failures, supplier shortages, etc. Sound familiar? Every organization, regardless of its size, sector or complexity, needs to be prepared to manage and respond appropriately to disasters and business interruptions.
Business continuity is the ability of an organization to guarantee the provision of its products or services, at an acceptable and predefined level, after a disruptive incident.
What is ISO 22301
ISO 22301 is the internationally recognized standard that determines the requirements for implementing, operating, monitoring, reviewing, maintaining and improving a Business Continuity Management System (BCMS), which guarantees the continuity of activities and the recovery of business processes in the event of a disruptive event, improving resilience and minimizing the consequences of such events.
Importance of ISO 22301
ISO 22301 serves as a framework on which to build a Business Continuity Management System (known as BCMS), enabling organizations to be prepared to continue operating during business disruptions. The requirements of the standard are intended to be applied and adapted to all types of organizations, regardless of the type, size, sector and nature of the organization.
Structure of the ISO 22301 Standard
01 - Purpose and field of application
02 - Standards for consultation
03 - Terms and definitions
04 - Context of the organization
05 - Leadership
06 - Planning
07 - Support
08 - Operation
09 - Evaluation
10 - Improvement
How it relates to BS 25999-2
ISO 22301 has its origins in the British standard BS 25999-2, published in 2007 and was the first certifiable and auditable standard related to business continuity management. It soon became the reference standard for the implementation of Business Continuity Management Systems until it was finally replaced by ISO 22301 in 2012.
ISO 22301 requirements on Business Continuity
Among all the requirements of the standard, we can highlight the following key aspects, which are fundamental to achieve adequate continuity management in the organization:
Study of the starting situation and degree of maturity of the organization in terms of business continuity. Including the analysis of aspects such as; size and type of services offered, legal requirements, roles and responsibilities, needs and expectations of management and third parties, etc.
Document that enshrines the purposes and commitments of the Organization with business continuity, establishing the objectives and principles pursued. The Policy serves as the overall framework and guide for the BCMS, and therefore must be approved, communicated and reviewed periodically.
The process of evaluating the Organization’s activities and the effects that a disruption in these activities could have on the Organization. This process is a basic pillar since it allows the identification of critical activities, their dependencies and resources required to operate at a minimum acceptable level.
Identification, analysis and evaluation of the main vulnerabilities and threats that could affect the continuity of the Organization’s activities, as well as the current safeguards, with the objective of designing corrective plans to reduce the most critical current continuity risks.
Identification of disaster scenarios and selection of continuity strategies for the organization’s critical activities, including the action times and resources required to meet the time and capacity objectives determined.
Documented procedures that guide the Organization, its personnel and response teams, in the detection, escalation and declaration of a crisis, as well as in the response and resumption of operations, in a coordinated and planned manner, at a predefined level after the disruption.
Procedures that contemplate the guidelines for testing and measuring the effectiveness of the plans, allowing to verify that the most critical activities can be recovered as planned, safely and effectively by previously trained personnel.
Definition of maintenance, review and continuous improvement procedures where monitoring activities are established that allow the BCMS to be updated with respect to business changes, new threats, compliance deviations, improvements or corrections, etc.
Which companies should be certified to ISO 22301
All companies and organizations, public or private, regardless of their type, size and sector, that need to be able to continue to deliver products and/or services quickly and with acceptable capacity during a disruption that could paralyze their operations.
Benefits for companies of complying with ISO 22031
Among the many benefits of complying with the standard, we can highlight that, in the event of an event that paralyzes an organization’s operations, having an ISO 22301-compliant BCMS will provide the organization with the following advantages:
Which companies should apply it
Once the Business Continuity Management System has been implemented, it is possible to certify it in order to have a seal of conformity, guaranteeing its optimal implementation, operation and maintenance.
To do so, it is necessary to pass an external compliance audit with an authorized entity.
Having the ISO 22301 certification allows to control and promote the continuous improvement of the Management System, giving credibility not only to the expected results, but also to the needs and objectives of the organizational strategy. Consequently, the organization will have a reputational and image benefit in the eyes of customers, suppliers and other interested parties.
Do you need more information about
Contact our cybersecurity specialists and they will advise you on what is best for your company.