What is ISO 22301?
ISO 22301 is one of the first globally recognized standards for societal security and business continuity. The standard specifies a structure for business continuity in an organization.
ISO 22301 2012 defines business continuity management for organizations as a process that identifies any risks and threats that can negatively affect business operations. The standard also provides a structure for managing operations after rectifying the negative effects of them.
ISO 22301 Requirements
An ISO 22301 certification has several requirements for the accreditation of it. The certification provides organization’s with a proper understanding of information technology management as the business continuity structure contains several clauses that require the staff of the organization to be trained in them.
The specific requirements for the certification are:
- A proper procedure in place for identification of applicable legal and regulatory requirements (clause 4.2.2) – defines who is responsible for compliance.
- A complete list of legal, regulatory and other requirements (clause 4.2.2) – lists everything an organization needs to comply with.
- A predefined scope of the BCMS and explanation of exclusions (clause 4.3) – defines where the organization’s BCMS will be implemented.
- Predefined business continuity policy (clause 5.3) – defines main responsibilities and the intent of the management.
- Clear and defined business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
- Documented competencies of personnel (clause 7.2) – defines the knowledge and skills needed.
- Periodic communication with interested parties (clause 7.4) – defines which interested parties exist, and how to communicate with them.
- A specific process for business impact analysis and risk assessment (clause 8.2.1) – defines the methodology for BIA and RA.
- Documented results of business impact analysis (clause 8.2.2) – documents the results of BIA.
- Documented results of risk assessment (clause 8.2.3) – documents the results of RA.
- List of business continuity procedures (clause 8.4.1) –include incident response, recovery and business continuity plan(s).
- Predefined incident response procedures (clause 8.4.2) – defines how to initially respond to various incidents.
- A clear procedure for the decision on whether the risks and impacts are to be communicated externally (clause 8.4.2) – this is normally made by Crisis manager.
- Regular communication with interested parties, including the national or regional risk advisory system (clause 8.4.3) – this can be documented through emails, minutes, memos, etc.
- Systematically kept records of important information about the incident, actions taken and decisions made (clause 8.4.3) – normally this is done through minutes.
- Predefined procedures for responding to disruptive incidents (clause 8.4.4) – these are the business continuity plan(s) and recovery plan(s), including the disaster recovery plans.
- Predefined procedures for restoring and returning business from temporary measures (clause 8.4.5) – these are the procedures on what to do after the operations have been recovered.
- A post-exercise report (clause 8.5).
- Systematically kept results of actions addressing adverse trends or results (clause 9.1.1) – these are basically the preventive actions.
- Documented data and results of monitoring and measurement (clause 9.1.1) – this the evaluation on whether your BCMS met the objectives.
- LIsted results of internal audit (clause 9.2) – normally, this is the Internal audit report.
- Listed results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
- A defined nature of nonconformities and actions are taken (clause 10.1) – this is a description of nonconformities and their cause.
- Systematically kept results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.
ISO 22301 Training
At Samarth Consultants we provide the proper guidance to the organizations that are seeking to implement the information technology and management system in their business continuity.
We train the staff and management with the help of a step by step guide. We strive to train the organizations on the standards and policies that need to be followed to implement The business continuity structure within the organization.
ISO 22301 Certification
The certification for ISO 22301 as previously stated is very useful in implementing a business continuity structure within an organization and its processes. As consultants, we guide our clients in acquiring the proper skills and strategies that are required for the accreditation of this certification.
We audit the company for any discrepancies in the system and go about implementing the strategies that are needed for the business continuity structure. Our trainers provide training to the staff and the upper management, while also making them aware of their roles and responsibilities under the new structure.
The certification provides several benefits to the business operations of any organization like:
- Improved understanding of the business.
- Risks are reduced by implementing risk assessment.
- Downtime is reduced because of identifying alternate works.
- Implements new technologies like cloud computing applications.
- Issues with the alternative processes are identified and dealt with.
- Maintenance of important records related to business is done.
- Effectiveness of operations is improved.
- Ensuring continuity of supply to end-user.
- Improved security system.