What is Business Continuity Management?

"81 per cent of managers whose organizations activated their business continuity arrangements in the last 12 months say that it was effective in reducing disruption. In summary: business continuity works."

Winter weather, IT outage or industrial action are the disruptions that make headline news. But disruption also includes staff illness or events that affect your supply chain.

Business Continuity Management provides a framework that allows you to identify potential threats to your organization and build capability. This means you can respond to threats and safeguard the interests of key stakeholders, reputation, brand and value-adding activities.

ISO 22301 provides a formal business continuity framework and will help you to develop a business continuity plan that will keep your business running during and following a disruption. It will also minimize the impact so you can resume normal service quickly, ensuring key services and products are still delivered.

If disruption is not an option for your business, adopting the international business continuity standard, ISO 22301 is the first step towards a best practice approach.

What is ISO 22301?

ISO 22301 is the new international standard for business continuity management. It has been created in response to strong international interest in the original British Standard BS 25999-2 and other regional standards. And if you meet the requirements to gain certification, your organization will be recognized globally.

ISO 22301 identifies the fundamentals of a business continuity management system, establishing the process, principles and terminology of business continuity management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. Use it to assure key stakeholders that your business is fully prepared and you can meet internal, regulatory and customer requirements.

The standard provides organizations with a framework to ensure that they can continue operating during the most challenging and unexpected circumstances – protecting their staff, preserving their reputation and providing the ability to continue to operate and trade.

Why should I choose ISO 22301?

To prove that your organization can continue to operate, even in the face of disruption. A business continuity management system (BCMS) and aligned to ISO 22301 is suitable for any organization of any size across all industries, from public to private, manufacturing and service. And it provides a common language for global organizations, especially those with long and complex supply chains.

And the standard is particularly relevant for organizations operating in high risk environments where the ability to continue operating is paramount for business, customers and stakeholders – this includes utilities, finance, telecommunications, transport and the public sector.

It will enable you to:

• Establish, implement, maintain and improve your BCMS.
• Meet the requirements of your business continuity policy.
• Give key stakeholders confidence in your conformity and commitment to internationally recognized best practice.
• Achieve BSI certification/registration of your BCMS.

The standard

ISO 22301:2012 Societal security – Business continuity management systems – Requirements provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice.

You can use the standard to demonstrate compliance via an auditing and certification process.

To buy this standard click here.

For further information please request a quote or contact us

ISO 22301 business continuity brings many benefits, especially when combined with independent certification from BSI. These include:

• Framework
  Provides a common consistent framework, based on international best practice that allows you to maximize the quality and efficiency of your processes. This includes the Plan, Do, Check, Act business continuity methodology.

• Resilience
  Adoption of a business continuity management system improves operational resilience by providing a framework for effectively managing risk.

• Reputation
  Helps you protect and enhance your reputation and brand.

• Competitive advantage
  Opens new markets and helps you win new business. Gain client confidence through the universal acceptance of ISO standards that open up global opportunities.

• Win more contracts more cost effectively
  Provides a marketing edge and, coupled with certification, can help reduce the cost of tendering.

• Business improvement
  Certification requires a clear understanding of your entire organization which can identify opportunities for improvement.

• Continuous improvement
  The certification process involves regular audits that ensure your management system is up to date.

• Compliance
  Demonstrate that you meet the requirements of applicable laws and regulations.

• Cost Savings
  Creates opportunities to reduce the cost of BCM audits, improve financial performance and reduce insurance premiums.

• Delivery
  Your BCMS framework supports rehearsed management processes that allow you to supply an agreed level of critical services and products within a specified timeframe after disruption.

• Management
  A BCMS provides proven management capability during times of disruption.

For further information please request a quote or contact us

Do you have BS 25999 already?

We’re proud that the British Standard BS 25999-2 has helped shape ISO 22031 Business Continuity Management. By adopting or certifying to the international standard you can demonstrate a best practice approach to minimizing risk and protecting your organization against disruption.

How does ISO 22301 compare to BS 25999-2?

All core BS 25999-2 business continuity requirements are present in ISO 22301.
These include:

• Business continuity policy.
• Business impact analysis.
• Risk assessment.
• Business continuity strategy (business continuity plans, exercising and testing).

What's different?

Objectives, monitoring performance and metrics
ISO 22301 puts greater emphasis on the setting of objectives, monitoring performance and metrics – bringing business continuity much closer to the top management way of thinking. This may be a new requirement, but most organizations already produce metrics and can tailor these to BCMS performance.

Top management commitment
ISO 22301 gives top management clearer BCM leaderships responsibilities and outlines specific ways in which management must demonstrate its commitment to the system.

Planning
ISO 22301 requires careful resource planning and preparation. It aims to integrate the BCMS with the organization’s objectives and risk appetite. Requirements are extended but more clearly structured.

Requirements around Supply Chain
ISO 22301 outlines more requirements relating to suppliers. These make it a useful tool for validating supply chains and client and contractual requirements.

Interested parties
The new international standard requires organizations to consider their interested parties more widely than BS 25999, bringing about closer alignment with organisational objectives for corporate social responsibility.

International adoption and acceptance
ISO 22301 will lead to wider use of international BCMS best practice. It aims to standardize the approach to and language of BCM, creating a level playing field for international business.

Why is there a need for a new International Standard for Business Continuity?

We know that 50% of BS 25999-2 certificates are currently outside of the UK. There is a global need for standardization in this area and the ISO committee has monitored its international impact.

I’m aligned to the standard BS 25999-2. Can I still use it?

While BS 25999-2 will be withdrawn, it remains relevant and you can still use it. The standard has simply been superseded by ISO 22301based on the way BCM best practice has evolved over the past five years.

I’m certified to the standard BS 25999-2. How quickly do I need to change from BS 25999 to the new ISO 22301?

ISO 22301 is not considered to be a new scheme but will likely be a transition. The transitional periods for certification will be defined by UKAS . They are typically 12 to18 months, but can be up to three years. We will have more information when the new international standard is published and UKAS releases its transition plan. It is widely expected that transitions will be conducted during a continuous assessment visit.

While I’m making the move from BS 25999-2 to ISO 22301, is my BS 25999-2 certificate still valid?

Yes, certificates issued to BS25999-2 will remain valid during the transitional period.

Are there major changes in ISO 22301?

Most of the requirements in BS 25999-2 are also present in the new international standard.

For further information please request a quote or contact us

If you’re already one of our clients and have various standards in place, your Client Manager can help you assess where you are now and guide you through to the certification process.

If you’re new to BSI, don’t worry, it’s still a simple process.

1. Choose the standard

You’ll need a copy of the standard before you can start preparing for your application. You should read it and familiarize yourself with it. Buy the standard.

2. Make contact

Get in touch and tell us what you need so we can provide the best services for you. We’ll then provide a proposal detailing the cost and time involved in a formal assessment.

3. Meet your assessment team

We’ll assign you a Client Manager, who will be your main point of contact throughout the process – and beyond. They’ll have an excellent understanding of your business area and will support you as you move forward to the assessment and registration of your information security management system.

4. Consider training

Whether you want to implement a management system or to increase your general awareness of the standard, we can help with our a range of workshops, seminars and training courses available. Read more about training.

5. Review and assessment

We can do a desktop review of your existing information security management system against the standard to identify omissions or weaknesses that need resolving before formal assessment. Once these have been addressed, we’ll conduct a full on-site assessment.

6. Certification and beyond

Once the assessment has been successfully completed, we’ll issue a certificate of registration, clearly explaining the scope of your certification. This is valid for three years and your assessor will visit regularly to help you stay compliant and support the continual improvement of your systems.

For further information please request a quote or contact us