Headed to RSA in San Francisco? May 6-9 | Join us!

ISO 22301 for Business Continuity – Benefits Explained

During the COVID-19 pandemic, the need for a solid business continuity management plan was put on full display. Practically overnight, many businesses had to move to a full remote state and stand up new systems, processes, and security measures to ensure business could run “as usual.” 

But a global pandemic isn’t the only thing that changes the way a business operates — extreme weather conditions may knock out server access, a technical hiccup could disrupt a department’s ability to access files, or a high-ranking member of the executive team could leave their job. All of these conditions could cause disruption and as such, organizations must have contingency plans in place to deal with any issues that arise.  

It’s time to for organizations to make sure they implement a Business Continuity Management System (BCMS). As the name suggests, a BCMS is a management system to help organizations plan for disruptions and ensure that critical business functions remain running in the event of an emergency.  

ISO 22301 Offers a Solution 

As it’s done with other information security and privacy management best practices, the International Organization for Standardization (ISO) created a framework and certification process for BCMS’ called ISO 22301: 2019 (ISO 22301). ISO 22301 was originally introduced in 2012 (minor updates were later introduced in 2019) with a goal to help organizations prevent, minimize, and recover from disruptive incidents without incurring financial and reputational penalties to their business.  

ISO 22301 certification is of particular interest to businesses with data centers, employees, or offices in multiple locations throughout the world. These businesses have a lot of “what if” scenarios to manage on a day-to-day basis. For example, one data center might be situated in an area that’s prone to hurricanes and a disruption to that data center could reverberate across the entire global organization. In this case, it’s extremely important that considerations for every location — not just the location of the data center — are included in a business continuity plan.  

Additionally, organizations that are data center providers, offer infrastructure as a service (IaaS), or offer their customers the equipment or tools needed to run their business, are all prime examples of organizations that would rely on a BCMS to mitigate risk and would want an ISO 22301 certification. 

Why Should Organizations Seek Certification? 

There are many benefits to pursuing an ISO 22301 certification. As an internationally recognized framework, ISO 22301 gives organizations the opportunity to provide peace of mind to their customers. With an ISO 22301 certificate in hand, organizations can show customers that they are a reliable business partner who will be able to restore operations in a timely manner should something happen.  

Internally, a proper BCMS gives an organization a sense of potential vulnerabilities and outlines steps to reduce downtime should an emergency occur. A BCMS is a single place to organize all potential vulnerabilities across locations, and file plans for each “what if” scenario. 

The Most Important Elements of ISO 22301 

What exactly does ISO 22301 include? The standard looks at a variety of areas within your organization — including leadership resources, operations in place to reduce the likelihood of incidents, and more. The major clauses of the standard are as follows: 

  • Clause 5: Leadership — Ensures appropriate management and resources are provided to support a business continuity plan.  
  • Clause 6: Planning — Looks at an organization’s ability to identify risks related to its operations and the locations in which it operates. 
  • Clause 7: Support — Ensures staff are available if in the event of an emergency, and that they are aware of their role in assisting the organization during such a time. This clause also covers communication procedures that are in place to notify customers of any issues when an incident occurs.  
  • Clause 8: Operations — Focuses on identifying necessary procedures to avoid or reduce the likelihood of incidents and steps to be taken when incidents occur.  
  • Clause 9: Evaluation — Covers how an organization will evaluate performance against its plan with appropriate metrics.  
  • Clause 10: Improvement — Defines actions an organization will take to continually improve its business continuity plan as corrective actions arise from audits, reviews, and exercises. 

The Certification Process 

Though it’s clear how a BCMS could benefit any organization, too many businesses still fail to plan ahead and only consider these issues in the midst of a crisis. There’s a better option. Gaining an ISO 22301 certification allows your organization to rest easy knowing that plans are in place to secure critical business functions in times of need. 

A-LIGN is an accredited certification partner and can guide you through every step of the ISO certification process. The process is separated into two stages and generally takes about six to eight weeks to complete. During Stage 1, the ISO experts at A-LIGN will review information about your business processes and operations, as well as the equipment and software that’s currently in place, the levels of control that have been established, and other regulatory requirements. In Stage 2, A-LIGN experts will evaluate the implementation and effectiveness of your BCMS to ensure it aligns with the ISO requirements and that all key performance objectives are being properly measured.  

Once an ISO 22301 certificate is issued, it is valid for three years. Throughout that time, A-LIGN will provide subsequent surveillance audits to ensure the BCMS is up-to-date and continues to cover the full scope of operations as your business grows and evolves. In addition to servicing companies that are new to the ISO 22301 process, A-LIGN is also able to guide organizations that were previously certified using the original 2012 standard as they update their certification to comply with 2019 updates.