Iso 22301 Standard: Know The Business Continuity Management Systems Policy

By Author: John
Total Articles: 304
Comment this article

Business continuity management systems standards are outlined in the ISO 22301:2019 standard. The International Organization for Standardization (ISO) has released a global standard that outlines how to maintain business continuity in an organization. This standard, which was created by top business continuity specialists, offers the greatest structure for handling business continuity within an organization. One aspect that sets this standard apart from other business continuity frameworks and standards is that an organization can obtain certification from a recognized certification authority and so be able to demonstrate compliance to its clients, partners, owners, and other stakeholders.

The goal of ISO 22301 is to guarantee that company operations continue to offer goods and services in the wake of disruptive events. The accomplished by determining the priorities for business continuity (through business impact analysis), identifying the potential disruptive events that could affect business operations (through risk assessment), determining what needs to be done to prevent such events from occurring, and then determining ...
... how to recover minimal and normal operations in the shortest amount of time (i.e., through risk mitigation or risk treatment). As a result, the core principles of ISO 22301 are centred on analyzing impacts and managing risks: identify which activities are more crucial and identify the risks that may have an impact on them before implementing a systematic risk management strategy.

The senior management must declare its goals for company continuity for the policy to serve its primary objective. Then why would that matter? Because executives frequently don't understand how business continuity might benefit their organization, it is unlikely that they will be particularly interested in supporting the business continuity initiative in their organization. The fundamental issue facing business continuity practitioners is this lack of attention; therefore, by mandating the creation of a policy, ISO 22301 is taking a first step toward achieving this recognition in the eyes of top management.

The second goal is to produce an ISO 22301 policy document that will be simple for executives to understand and that will allow them to have complete control over everything that happens within the Business Continuity Management System. Executives don't need to understand the specifics of risk assessment or business impact analysis, but they do need to know who is in charge of the BCMS and what to expect from it. Although the ISO 22301 standard doesn't mention much about the policy, it does state the following:

• The policy must be tailored to the organization, which implies that you cannot simply copy a policy from a major industrial firm and apply it to a small IT firm.
• It must explain the framework for establishing business continuity objectives; in other words, the policy must define how objectives are presented, approved, and reviewed.
• The policy must demonstrate top management's commitment to meeting the needs of all stakeholders and consistently improving the BCMS - this is usually done through some form of statement.
• The ideal practice is to specify who is accountable for such communication so that it is done consistently. It must be communicated both within the organization and, where necessary, to interested parties.
• The policy must be reviewed regularly, and its owner should be identified so that they can ensure its upkeep.

As a result, the policy need not be a lengthy document, as you can see. It is helpful to incorporate the following:

• The scope of the BCMS - In this manner, the scope does not need to be a separate document.
• Responsibilities for important sections of the BCMS - who is in charge of day-to-day operations and coordination, who is in charge at the executive level, and so on.
• Measurement – Who will determine whether the business continuity objectives have been met, to whom the findings must be communicated, and how frequently, and so on?