Iso 23008

Module 1: Fundamentals of Business Continuity Management Systems (BCMS)
Learning Outcomes
After completing this module, you will be able to:
 Demonstrate the business case for a business continuity management system.
 Summarize the different recognized standards or guidance on business continuity.
 Define the important terms in ISO 22301:2019.
 Outline the concerns of organizations during CoVID-19
 List the threats in the Work-from-Home model.
 State the reasons for the update of ISO 22301:2019.
 Interpret the changes in the main clauses of the standard.
 Discuss the steps for organizations to move forward for implementation and
certification against the standard.
Why Business Continuity in First Place?
Business owners might not be interested in the idea of business continuity in the first place.
But they need to think about some important dimensions for their business. They should
consider the following:
 Increased Cyber Threats and Attacks
 Home Based work increase the risk of breach for data protection and privacy
 Threat Actors will take advantage of the COVID-19 pandemic
A robust business continuity management system (BCMS) empowers organizations to
minimize the Mean Time to Contain Incidents (MTTC) and Mean time to identify
(MTTI) to much extent.
 For example; if a company is taking ninety days to contain a data breach incident.
With the help of BCMS it can be reduced to fifty days.
 BCMS also offers cost saving per day of breach. This is done with the help of MTTC
and MTTI reduction.
The Business Case for Business Continuity
With the advent of CoVID-19, there had been much emphasis on business continuity system.
Since businesses need to operate in lock-downs and where their suppliers cannot meet the
demand of essential supplies, they will face continuity challenges. Some factors of downtime
cost which are listed for businesses to consider the significance of business continuity:
 Productivity
 Reputation
 Legal and Regulatory
 Revenue
 Financial Performance
 Reputation
Some details on first three factors for organizations to consider the business case for business
continuity management systems:
Productivity
Productivity is heavily influenced by down times in following ways:
• Productivity Loss (In terms of Outputs)
• Due to low productivity, the employees also feel insecure and thus impacted
• To deal with the downtime, and to resume the productivity; additional specialized services
may be needed. The cost of such services in-case of unplanned situation can be high
Reputation
Reputation is also impacted with down time due to any threat or attack.
• Customers closely watch if a company has failed to operate in a down time and thus the
reputation is heavily damaged
• Suppliers and partners are also watchful of the organization's performance, in-case if they
fail to operate, they will fail to cater the needs of partners and suppliers
• The Financial markets observe the performance of the organization, and if the reputation is
going down due to down-time, the value of public shares also goes down
Legal, Regulatory & Other Requirements
There can be certain legal, regulatory or other requirements, for which company needs a
business continuity system to get it back in operations.
• Legal Requirements for essential services which needs organizations to operate
• Service-level agreements (SLA) that binds organizations to operate
• Other requirements
The last three factors are:
Revenue
In terms of revenue organizations has to face following for down times and as cost of non-
operation:
• Direct Loss
• Payment compensation for delay in services
• Loss of Future Revenue due to bad reputation and lost customers
• Losses in investment for example capacity losses during the time of down time
Financial Performance
Financial performance is other important factor to consider business continuity systems.
• Market Share loss due to interruption of supplies
• The liquidity issue, an organization may be unable to pay unless it has spare liquidity
• The impact of credit ratings of an organization, i.e. the ability of an organization to fulfill
their financial commitments, based on previous dealings.
Other Expenses
There are several other factors and expenses that is there in-case of a down time when
companies move to restore operations in an unplanned manner:
• Temporary workers for restoration or to maintain supply
• Rental equipment allocation for alternate work to maintain supply
• Overtime of employees to handle the disruption
• Additional shipping cost if supplies are maintained from third party or there is a shipment
issue
Different Levels of Recovery
The below illustration explains the level of contingency plan in case of failures.
NFPA 1600 on Continuity, Emergency and Crisis Management
NFPA 1600 is a standard for business continuity and emergency preparedness formulated by
the National Fire Protection Association. It was endorsed by the National Commission on
Terrorist Attacks upon the United States (also known as 9/11 commission) as US’s National
Preparation Standard. It has been opted by the U.S. Department of Homeland Security as a
standard for emergency preparedness. It is widely used by public, non-government
organizations, public and private departments on local, regional, national, international and
global basis.
Introduction to NFPA 1600
NFPA 1600 establishes a common criterion regarding business continuity management
systems and for other hazardous and emergency situations. This standard provides criteria for
preparedness in emergency situations.
NFPA Scope
The program covers governmental organizations at different levels and other different
organizations and industry
NFPA 1600 Document
The PDF version of 2019’s NFPA 1600 consists of 10 chapters and 13 Annexes (from Annex
A to Annex M).
BS 25999 Standard
BS 25999 was a standard formulated by the British Standards Institution (BSI) in 2007 for
business continuity strategies and plans. It replaced PAS 56 (Publicly Available
Specification) which was published in 2003 upon its publication.
Time-line
The first part of BS 25999_1:2006 was published in December 2006 whereas second part of
BS 25999_2:2006 was published in 2007.
BS 25999_2 was withdrawn and replaced by ISO 22301 in November 2012 and BS 25999_1
was withdrawn and replaced by ISO 22313 in early 2013.
Changes and Development
Both standards contributed to the formulation of international standards and other national
standards for BCMS.
Parts of BS 25999
There are two parts:
• Part 1, “BS 25999_1:2006 Business Continuity Management. Code of Practice”. It
provides general guidance regarding principles, processes and terminology recommended for
Business Continuity Management.
• Part 2, “BS 25999_2:2007 Specifications for Business Continuity Management”. It
specifies requirements for implementing, operating and improving Business Continuity
Management Systems.
ISO/IEC 27031 - ICT Readiness for Business Continuity
It can also enable an organization to measure those performance parameters which correlate
to its IRBC.
Introduction to ISO 27301
ISO 27031 describes principles for Information Communication Technology (ICT) for
business continuity and provides a structure and frameworks of methods to specify and
identify all aspects such as performance, criteria, design and implementation so as to ensure
an organization’s Information and Communication Technology readiness to ensure readiness
for business continuity. ISO 27301 can be applied to any private, governmental or non-
governmental organization which is planning to develop its ICT readiness for business
continuity (IRBC) and requires its ICT services and infrastructures which are ready to
support the organization’s business operations in the events which may lead to any disruption
which can affect the continuity and security of critical business functions.
Scope
ISO 27301 covers all the events (including those related to security) which can lead an ICT
infrastructure and systems to have an impact upon them. This includes practices regarding
information security handling, management ICT services and ICT planning.
Details on the Standard
ISO 27301 describes principles for Information Communication Technology (ICT) for
business continuity and provides a structure and frameworks of methods to specify and
identify all aspects such as performance, criteria, design and implementation so as to ensure
an organization’s Information and Communication Technology readiness to ensure readiness
for business continuity.
ISO 27301 can be applied to any private, governmental or non-governmental organization

which is planning to develop its ICT readiness for business continuity (IRBC) and requires
its ICT services and infrastructures which are ready to support the organization’s business
operations in the events which may lead to any disruption which can affect the continuity and
security of critical business functions.
ISO 24762 - ICT Disaster Recovery Services
It can also enable an organization to measure those performance parameters which correlate
to its ICT Readiness for Business Continuity (IRBC).
ISO 24762
ISO 24762 is another standard in-terms of business continuity management and provides
guidelines for provision of Information and Communication Technology Disaster Recovery
(ICT DR).
It can be applied to both “in-house” and “outsourced” ICT DR Service provides and
facilitators.
Specification of ISO 24762
It specifies:
· The requirements of implementation, operation, monitoring and maintenance of IC DR
services and facilities.
· The capabilities and practices which ICT DR service providers should possess and follow
so that they can provide a basic and secure environment suitable for operating and recovery
of the organization;
· Guidance needed for section of recovery site
· The guidance for ICT DR service providers so that they can continuously improve their
facilities and services
ISO 22301 - Business Continuity Management System Standard
The ISO 22301:2019 standard requires companies to not only establish high-level strategies
to make sure business continuity, but also to incorporate solutions to cope up with specific
risks and impacts relevant to continuity. The standard is titled as "Security and resilience —
Business continuity management systems — Requirements."
Management System References
ISO 22301:2019 standard references some primary concepts of management systems from
the most popular and internationally accepted Quality Management System i.e. ISO
9001:2015. It is important to understand ISO 9001, so as to understand ISO 22301 standard.
You can study ISO 9001 in another free online course on Alison: ISO 9001:2015 - Quality
Management System (QMS)
The Offerings of ISO 22301 for Organizations
ISO 22301 offers a system to plan, develop, implement, operate, monitor, review, maintain,
keep and continually enhance a BCMS - business continuity management system. It is
envisioned to empower companies to prepare for, protect against, respond to, and recover
whenever disruptive incidents st
Good News for Learners!
ISO 22301:2019, titled as "Security and resilience — Business continuity management
systems — Requirements",
is a paid international standard, and therefore we do not share copy of international copy
right standards with this course. However the good news is now at large and we like to share
it with our learners:
ISO has made the complete ISO 22301 Standard - Free to Read
The decision after the CoVID-19 outbreak. Learn can read the international standard here:
https://www.iso.org/obp/ui#iso:std:iso:22301:ed-2:v1:en
Make Use of the Offer, we don't know how long it is valid!
Learners our requested to make use of this offer, we don't know how long ISO will keep it
free to read publicly. As it is a paid international standard.
Examples of Possible Disruptions
Below illustration explain the different types of disruption, which an organization can face.
Basic Terms in BCMS
Some basic terms and notions in BCMS are:
Business Continuity
It is defined in ISO 22301 as "capability of an organization to continue the delivery of

products and services within acceptable time frames at predefined capacity during a
disruption".
Business Continuity Plan
It is defined in ISO 22301 as "documented information that guides an organization to

respond to a disruption and resume, recover and restore the delivery of products and services
consistent with its business continuity objectives".
Activity
It is defined in ISO 22301 as "set of one or more tasks with a defined output".
Terms Related to Disruption
Some of the important terms under the domain of disruptions are:
Disruption
It is defined in ISO 22301 standard as "incident, whether anticipated or unanticipated, that
causes an unplanned, negative deviation from the expected delivery of products and services
according to an organization’s objectives."
Impact
It is defined in ISO 22301 standard as "outcome of a disruption affecting objectives."

Business Impact
It is defined in ISO 22301 standard as "process of analyzing the impact over time of a
disruption on the organization."
It is important to note here that the outcome of business impact is a statement and
justification of business continuity requirements.
Other Important Terms in BCMS
Prioritized Activity
It is defined in ISO 22301 standard as "activity to which urgency is given in order to avoid
unacceptable impacts to the business during a disruption."
Resource
It is defined in ISO 22301 standard as "all assets (including plant and equipment), people,
skills, technology, premises, and supplies and information (whether electronic or not) that an
organization has to have available to use, when needed, in order to operate and meet its
objective."
Risk
It is defined in ISO 22301 standard as "effect of uncert

Outsource
To outsource, according to ISO 22301:2019 is to "make an arrangement where an external

organization performs part of an organization’s function or process."
It is important to note that an external organization is outside the scope of the management
system, although the outsourced function or process is within the scope.
Note for the Term "Risk"
It is important to note the following for "risk":
• An effect is a deviation from the expected and it can be positive or negative.
• Uncertainty is the state, even partial, of deficiency of information related to, understanding
or knowledge of, an event, its consequence, or likelihood.
• Risk is often characterized by reference to potential “events” and “consequences” or a
combination of these.
• Risk is often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of occurrence.
ISO 22301 defines _________ as the "effect of uncertainty on objectives." (Answer = Risk)
According to ISO 22301, __________ is defined as the "outcome of a disruption, affecting
objectives." (Answer= Impact)
Importance of Business Continuity (BC)
Business Continuity was important before the CoVID-19 pandemic as it is important today.
But the realization of the need for effective business continuity is felt immensely today after
the pandemic.
CoVID-19 Outbreak
Whole world is amidst chaos and mayhem at this time due to recent outbreak of Severe
Acute Respiratory Syndrome Corona Virus Disease-19 (SARS CoVID-19). The disease
started from Wuhan city in Hubei province of China and within two months, the virus spread
across the whole globe. It had infected well in hundred thousands and many people died due
to severe respiratory infections. It continued to spread and businesses have to close to fight
the outbreak, discontinuing their processes. Many big corporate have to face challenges when
their supplier base goes off and they face serious disruptions within supply chain.
The outbreak significantly affected every part of routine life. From small shops to large
restaurant chains, from small production units to large-scale factories, from home-run
businesses to large chains, everything faced a drastic change and came to halt.
The Impact of Pandemic on Businesses
The majority of businesses around the world toppled within the initial days of outbreak. The
virus not only affected stock markets of economic giants such as those of US, Japan, Europe
but also those of Asia such as India and Pakistan. In short, the economic situation of world is
at jeopardy right now.
It took time for businesses to understand the situation and plan accordingly. Meanwhile they
face various different losses.
The world is surely in a dilemma, and the importance of continuing all the businesses back
again is becoming call of the day. Continuing all the businesses will be a necessary thing to
do, as all the economies worldwide need to establish and uplift themselves again. Even
though many organizations are trying their best to keep functioning remotely, disturbance is
still being felt all around.
CoVID-19 Impact on Businesses
Some of the impact of CoVID-19 on businesses are:
 Production Loss or Production Stop
 Supply chain disruption or supplier not able to meet organization's demands
 Increased Cyber Vulnerabilities and Threats
 Information Technology Service Disruptions due to increased load
 Incidents related to data breach
 Privacy compromise or loss of confidential data
 Loss of employee productivity
 Work-from-Home challenges and failure to deliver
Post Pandemic - Organization's Concerns
Many organizations are showing these concerns that how will they be able to function
normally as there is lock-down and curfew in many places due to which many workers are
not able to come to offices.
The Uncertain Condition for Businesses
This uncertain situation due to pandemic is surely creating a lot of problems and other issues
with the businesses.
Work from Home Model
Facing the pandemic, many organizations advised employees to “work from home".
However, employees were not prepared for that and thus productivity, communication and
collaboration were all at stake. The escalating situation of the pandemic made this even more
difficult.
Moreover, many employees of different companies and enterprises are infected with the virus
and are placed in quarantine. This, obviously is resulting in a lack of workforce leading to
more downfall.
Cloud and Internet-Based Work from Home
Every company can adjust itself to work in this situation by working through internet-based
platforms.
Achieving these objectives can especially be easier if a company owns a hybrid infra-
structure, that is, it functions both as “on premise” and on cloud platforms.
Cloud platforms are considered as a significant tool for storage nowadays hence
accumulation of business data will be of little problem. Similarly, the absence of the usual
meetings in conference rooms can be inter-changed by online conference calls.
Note: The only concern is information security. The vendors for cloud services must be
legally restricted to ensure information security with the Service Level Agreements.
Control Of Traffic In Case Of Working Online
Notes for Working from Home through Internet
If your organization have all set to go online, the BCMS team should keep the following in
mind:
• Is your company capable enough to handle all that increased traffic of employees during
this period?
• Will you be able enough to keep your company’s data secure?
These and other questions like this may arise therefore there will be a need to upgrade your
VPN services and firewall structures. You can use Intrusion Protection Systems (IPS) to stop
any unauthorized access to your organization’s online matters.
Hackers And Their Strategies
At a point where CoVID-19 has nearly put stop everybody’s activities, there is still a group
which has sought this opportunity as a golden chance and they have increased their
activities.
Using the public fear of CoVID-19, many of them started disguising themselves as health
professionals and other officials from different government departments all over the world.
They send phishing emails to different individuals and many of them get scammed in the
process. As a result, those hackers gain access to their sensitive information.
Now imagine what undesirable impacts can be faced if any employee mistakenly ends up
giving away some sensitive information about your company. Therefore, you should educate
your employees about these scams and try to create a system where you can save your
employees’ inboxes, and in turn, your own organization from any potential breaches.
Strategies For Smaller Businesses
Small ventures and business projects are facing far worse consequences in this situation and
opting the costly strategies can increase more burden on them.
Therefore, they must make both short and long-term planning to minimize the impacts of
CoVID-19 on their businesses.
The Covid-19 pandemic has made more businesses realise the need for effective business
continuity. (Answer
ISO 22301:2019 Review & Changes
Introduction
ISO 22301 was updated in October 2019 in response to wide-scale changes being faced by
the business community worldwide. Further in this topic, ISO 22301:2019 is explored in
detail and what changes had been made in Business Continuity Management Systems
(BCMS) so as to fulfill the new requirements of the updated version.
What is ISO?
ISO or International Organization for Standardization is an international organization for

standardization founded in London on 23rd February, 1947. It has representatives from
different organizations from around the world.
It is currently headquartered in Geneva, Switzerland. The purpose of this organization is to

promote world trade by setting and maintaining equal standards throughout the world and its
164 member countries.
It designates different standards by using codes which also work as certifications for a
particular product.
Review of ISO 22301 and the New Publication
When was it Reviewed and Updated?
ISO 22301:2012 was reviewed in 2017 and in 2019 the new ISO 22301:2019, security and
resilience-Business community Management Systems-Requirements was published.
The Concept Behind Review of Standards
In order to keep their standards compliant to the latest requirements; ISO Management
System Standards undergo a review which usually takes place after every 5 years.
The ISO 22301 was put forward to be reviewed in 2017 and the re-evaluation process was
started after ISO began the process by looking for reviews and feedback from the
international community by consulting its members and respective Committee. It was thus
decided that the issues regarding technicalities and other problems related directly to the
Management System Standards which were covered in ISO 22301 will be reviewed.
Management System and Technical Requirements
The MSS of 22301 are made up of both management system requirements which are met in
the clauses 4,5,6,7 and 9. The technical requirements are listed in clause 8.
Non-Technical Requirements
The non-technical requirements had already undergone a review by ISO in 2012 with the
intentions of creating a management system which will prove to be more feasible for
organizations around the world.
High Level Structure
Standard is based on Annex L which was known as Annex SL in 2012 version) which is a
section of ISO/IEC (where IEC stands for International Electro-technical Commission).
Annex L prescribes how ISO’s management systems should be structured. It was then
integrated into ISO 22301:2012. The review of ISO 22301:2012 was carried out between
2017 and 2019, after which several new amendments were proposed in its structure.
ISO 22301:2019 - Changes and Updates
An account of changes and updates have been provided below:
Details of Changes
The basic changes in the new standard are:

• The new requirements conform to ISO’s management system standards following the birth
of Annex SL in 2012.
• No new requirements are added but significant changes have been made to the old ones,
making them more comprehensible and easier to comply with.
• Business community requirements which are discipline-specific are listed in clause 8.
• Several previous discipline-specific requirements have been upgraded to make them more
lucid and
• Clause 8 is made more simplified and has been transformed into easily comprehensible
language.
Addition in Introduction
Addition of a new section within the introduction with the name of benefits of a business
continuity management system has been added which can prove to be useful for senior
management of an organization as well as for the whole organization.
Overview of the Main Auditable Clauses
Clause 1 to Clause 3 are for guidance and are not audit-able clauses. The remaining clauses
are editable which are discussed below:
Clause - 4: Context of Organization
It incorporates the requirements needed to develop the context of the BCMS applicable to the
organization along with the requirements and scope.
Clause - 5: Leadership
It summarizes the requirements related to top management’s role in the BCMS, and how
leadership expresses its expectations to the organization via a policy statement.
Clause - 6: Planning
It explains the requirements for developing strategic objectives and guiding principles for the
BCMS as a whole.
Clause - 7: Support
This clause is related to support functions of the BCMS operations related to developing
competence and communication on a recurring ground with interested parties, while
controlling, maintaining, documenting and retaining the needful documented information.
Clause - 8: Operation
This clause explains business continuity needs, explains how to address them and identifies
procedures to control a disruption suffered by the organization.
Clause - 9: Performance Evaluation
This clause summarizes the requirements vital to measure business continuity performance,
BCMS conformity with this document, and to perform management review.
Clause - 10: Improvement
This clause recognizes and acts on BCMS nonconformity and continual improvement
through corrective action.
ISO 22301:2019 - Summary of Changes in Main Clauses
Clause 3- Terms And Definitions
Some new examples are added along with the addition of revised terms and definitions (such
as disruption and impact), while others have been omitted. Some changes to the respective
notes are also made. Readers can refer to ISO 22300:2018, which includes many of these
new terms and definitions.
Clause 4 – Understanding the Organization and Its Context
This part of the clause is much reduced in length and is only needed by individuals working
on higher levels. The need for penning down the details of what the context of an
organization might look like have been reduced to minimal just like ISO 9001:2015. Now all
you need is to decide what the internal and external issues are.
The PDCA Cycle
The PDCA cycle, which is also known as Shewhart cycle, is a four-step management method
used by different business models which ensures control and continuous improvement of
processes and products.
ISO 22301 standard is designed on the PDCA model.
Plan Phase: Clause 4, Clause 5, and Clause 6 are part of the Plan phase.
Do Phase: Clause 7 and Clause 8 is the part of the Do Phase.
Check: Clause 9 is the part of Check Phase.
Act: Clause 10 is the part of Act Phase.
Planning (Clause - 6)
This clause has been re-framed to meet the requirements of other Managing Services
Systems. ISO 22301’s clause 6 “now includes planning changes to the BCMS.” Other MSS
users should make necessary arrangements to fulfill this requirement.
Users who are already using ISO 22301 only should now give direct thought to and take
decision on how they will make their plans to bring changes in the BCMS.
Addressing Change (Clause - 6.3)
With the changes made in clause 6.3, organizations might look up to making different
changes in responsibilities and authorities. This can be looked upon as how an organization
makes preparations, makes plans and develops new and competent and suitable staff for their
offices so that these changes can be implemented. These changes are not taken into an
appropriate consideration as they should be so that they can help in functioning of a business
smoothly.
Business Continuity Policy (Clause - 5.2)
There was a duplication in the 2012’s version as demand to review the policy for suitability
was present in the Policy clause (5.2.2) and in Management Review Inputs (Clause 9.3.2 e).
However, in the 2019 version, this statement has been reduced and is present only with the
Management Review Inputs’ clause 93.2.e.
Communication (Clause - 7.4)
This clause now only interprets other MSS in such a way that; it only refers to the needs
which should be fulfilled to communicate elements of the Business Continuity Management
System.
In the 2012’s version of ISO 22301, there was an overlapping between the wordings of
management systems communications expectations as well as wordings which were specified
for managing business continuity communications, for instance making sure the availability
of different sources of communication during a disruptive incident. All the BCSM
requirements can now be found under the Sub clause - 8.4.3.1.
Operation (Clause - 8) - Business Continuity Capabilities of Suppliers
ISO 22301:2012 users criticize the lack of detailed requirements regarding the purpose for
which an organization should manage its supply chain’s business continuity capabilities and
that to, on its own. Although a loose reference to address this concern was made at the end of
clause 8.3.1 which stated:
“An organization should conduct evaluation of the business continuity capabilities of its
suppliers.”
Business Impact Analysis - BIA (Sub Clause - 8.2.2)
The new version now highlights the requirements to define “impact types and criteria” which
are pertinent with the organization’s context and can be used for assessment of impact with
changes in time.
Explanation on Business Continuity Capabilities of Suppliers
Although mentioned with clarity, the statement in the standard is sort of a vague sentence
which can be interpreted into various ways without being any specific “requirement”
attached with it and without any further details.
The new ISO 22301:2019 is not anymore specific (clause 8.6 C can be looked upon for
reference) but it does contain a detailed document, ISO 22318 - "Societal Security-Business
continuity management systems - Guidelines for supply chain continuity” which
contains additional and detailed information regarding this problem.
The upcoming version of ISO 22313 (which is published in early 2020) contains different
examples of impact types such as Financial impact, Reputation impact, Legal Impact,
Regulatory Impact and Operational Impact. (Keeping in mind that it is not the complete list
of impacts listed in ISO 22313). These concepts are not knew and many organizations
already consider them in their Business Impact Analysis (BIA) and other risk management
methods.
Explanation on BIA Supplementary Information
Therefore, this change discussed above, should be considered as a clarification rather than a
new addition or requirement. Some ISO 22301 users should now ensure that their BIA and
other risk management methodologies reflect this clause. They can have a look at ISO 22317
Societal security - Business continuity management systems - Guidelines for business
impact analysis (BIA) for further information.
Use of BIA analysis is to determine the prioritized tasks. In this regard, (Clause 8.2.2: G &
H) only extend to prioritize activities and tasks.
Previous references made to “risk appetite” have been omitted from the “Risk Assessment
Sub Clause - 8.2.3 (although it is still present to some extent in Context Sub Clause - 4.1 &
Note and Strategies Sub Clause - 8.3.3). This decision was taken because ISO 31000 Risk
Management – Guidelines no longer refers to risk appetite.
Solutions Implementation (Sub Clause - 8.3.5)
Implement and maintain selected business continuity solutions so that they can be activated
when needed.
Although this may sound explicit, but many of the organizations are already reviewing their
strategies and where their application can be done as their businesses mature or change and
also making further changes in them as per the requirements.
Clause - 8.4)
This section proves to be of interest for both the system implementer and the auditor as it
contains some subtle differences which need to be addressed, maybe for the first time. The
wordings of the standard focusing on the business continuity plans and procedures shall;
• Be written in such a way that one or more teams should be responsible to address the
disruptions.
• “Relationship” between the teams should be well addressed along with their roles and
responsibilities.
• Each team must be able to identify personnel from different teams including those who are
alternates and state responsibility, authority and competence designated for a specific role.
• Details that address the management of immediate after-effects of an undesirable event.
(Should also include management of impacts on environment).
• Each plan should include a process in case of a resignation. (This was already mentioned on
the collective list in Clause 8.4.4 g).
• Each plan should be made in such a way that it can be put to use at any time and any place
as per the requirement.
Business Continuity Strategy (Sub Clause - 8.3)
This term is now changed to “Business continuity strategy and solutions.” A single or a
number of solutions can be used to form new strategy. It is the same old stuff and readers
should not confuse themselves with change in terminology. An example to understand can be
given as implementation of a certain strategy surrounded by a presence of a solution which
can be used to find an alternative location for the company’s new office or use of a contract
with a third party. Another change made is the extension of “logistics” in Resource
Requirements; Transportation (Clause 8.3.4 f).
Explanation of BC Plans (Sub Clause - 8.4) for Audits
Is there a need that organizations should review and make adequate changes in your Business
Continuity Management Systems (BCMS) arrangements so that these requirements are
addressed clearly.
For instance, consider the word “relationship.” How will you describe them to your auditor?
Sub Clause - 8.4.2.2 says "The roles and responsibilities of each team and the
relationships between the teams shall be clearly stated."
Exercise Program (Clause - 8.5)
Again, some new words have been added which require consideration. An organization now
should be competent enough along with having an ample knowledge and a confident team
which can work with the spirit of teamwork so that disruptive incidents can be addressed in a
good manner.
Expectation
The Standard is now expecting organizations to explore more and consider the different
aspects required for business continuity. One have to think of different ways through which
organization can demonstrate in front of an auditor who may like to see your compliance
with each requirement.
Performance Evaluation (Clause - 9)
Measurement and Monitoring (Clause - 9.1)
Different actions required to evaluate performance such as measurement, monitoring analysis

and evaluation itself now not only require identification of when monitoring and measuring
will be done but also that “who” will evaluate and analyze the results and when. This
accountability which was considered as an extra is now a requirement and may assist people
on focusing on their work more.
A reference made for the performance metrics has been removed but that doesn’t mean that
one should stop using those even if they have proved to be helpful for organizations.
Deficient performance could include non-conformity, near misses, false alarms, and actual
incidents.
Removal of Evaluation of Business Continuity Procedures
Performance evaluation now only focuses on the business continuity management system
and not on the business continuity documentation and capabilities with the cleaning of clause
requirements.
Way Forward for Conformance
ISO 22301:2019 requires companies to spot the changes which were not present within the
previous version. It also provides a broader view of business continuity management system.
A BCMS still requires to focus on the PDCA model as well as the timing. Hence it should be
kept in mind when one is developing BCMS and when to review and update it.
A Questionnaire from the Standard
An auditor will use the “list” of requirements in a standard to make a questionnaire. These
requirements are just like any checklist, and you should be able to show that you are
compliant enough with each “sub” requirement.
A competent auditor will be fully aware about which questions you have answered and which
have been unanswered, so prepare yourself accordingly.
Transitioning to ISO 22301:2019
If your organization is currently certified to the previous version of ISO 22301, you should
make the transition plan from ISO 22301:2012 to ISO 22301:2019 before 30th October, 2019
after which ISO 22301:2012 will no longer be valid.
BSI (British Standard Institution) has stated that it will continue to conduct audits against the
older version of ISO 22301 until 30 April 2021 so that you can get enough time to update
and align your system with ISO 22301:2019.
It should be noted here that all the certification bodies which are using the standard of ISO
22301:2012 should first transition themselves to the 2019’s version of ISO 22301 and their
transition should be accredited by the UKAS (UK’s National Accreditation Body) before
being able to offer certifications to their new clients to the latest version of the standard.
Steps to Follow for Transition
As an organization, one must do following:
• Gap analysis of current system versus the system needed by ISO 22301:2019
• Make a project plan based on the gaps to work on the gaps
• Implement the plan and fulfill all requirements that were not met previously
• Conduct an internal audit as per the new standard
• Conduct a management review as per the new standard
• Go for the transition audit with a certification body
To keep them up to date, ISO Management Systems Standards are reviewed every
__________ years. (Answer = 5)
Introduction
What is ISO?
particular product.
BCMS as a whole.
Clause - 7: Support
The PDCA Cycle

Introduction
What is ISO?

particular product.

The Concept Behind Review of Standards
In order to keep their standards compliant to the latest requirements; ISO Management
System Standards undergo a review which usually takes place after every 5 years.
The ISO 22301 was put forward to be reviewed in 2017 and the re-evaluation process was
started after ISO began the process by looking for reviews and feedback from the
international community by consulting its members and respective Committee. It was thus
decided that the issues regarding technicalities and other problems related directly to the
Management System Standards which were covered in ISO 22301 will be reviewed.
Management System and Technical Requirements
The MSS of 22301 are made up of both management system requirements which are met in
the clauses 4,5,6,7 and 9. The technical requirements are listed in clause 8.
Non-Technical Requirements
The non-technical requirements had already undergone a review by ISO in 2012 with the
intentions of creating a management system which will prove to be more feasible for
organizations around the world.
High Level Structure
Standard is based on Annex L which was known as Annex SL in 2012 version) which is a
section of ISO/IEC (where IEC stands for International Electro-technical Commission).
Annex L prescribes how ISO’s management systems should be structured. It was then
integrated into ISO 22301:2012. The review of ISO 22301:2012 was carried out between
2017 and 2019, after which several new amendments were proposed in its structure.
ISO 22301:2019 - Changes and Updates

An account of changes and updates have been provided below:
Details of Changes
The basic changes in the new standard are:

• The new requirements conform to ISO’s management system standards following the birth
of Annex SL in 2012.
• No new requirements are added but significant changes have been made to the old ones,
making them more comprehensible and easier to comply with.
• Business community requirements which are discipline-specific are listed in clause 8.
• Several previous discipline-specific requirements have been upgraded to make them more
lucid and
• Clause 8 is made more simplified and has been transformed into easily comprehensible
language.
Addition in Introduction
Addition of a new section within the introduction with the name of benefits of a business
continuity management system has been added which can prove to be useful for senior
management of an organization as well as for the whole organization.

BCMS as a whole.
Clause - 7: Support

The PDCA Cycle
Planning (Clause - 6)
This clause has been re-framed to meet the requirements of other Managing Services
Systems. ISO 22301’s clause 6 “now includes planning changes to the BCMS.” Other MSS
users should make necessary arrangements to fulfill this requirement.
Users who are already using ISO 22301 only should now give direct thought to and take
decision on how they will make their plans to bring changes in the BCMS.
Addressing Change (Clause - 6.3)

With the changes made in clause 6.3, organizations might look up to making different
changes in responsibilities and authorities. This can be looked upon as how an organization
makes preparations, makes plans and develops new and competent and suitable staff for their
offices so that these changes can be implemented. These changes are not taken into an
appropriate consideration as they should be so that they can help in functioning of a business
smoothly.
Business Continuity Policy (Clause - 5.2)
There was a duplication in the 2012’s version as demand to review the policy for suitability
was present in the Policy clause (5.2.2) and in Management Review Inputs (Clause 9.3.2 e).
However, in the 2019 version, this statement has been reduced and is present only with the
Management Review Inputs’ clause 93.2.e.
Communication (Clause - 7.4)
This clause now only interprets other MSS in such a way that; it only refers to the needs
which should be fulfilled to communicate elements of the Business Continuity Management
System.
In the 2012’s version of ISO 22301, there was an overlapping between the wordings of
management systems communications expectations as well as wordings which were specified
for managing business continuity communications, for instance making sure the availability
of different sources of communication during a disruptive incident. All the BCSM
requirements can now be found under the Sub clause - 8.4.3.1.
Operation (Clause - 8) - Business Continuity Capabilities of Suppliers

ISO 22301:2012 users criticize the lack of detailed requirements regarding the purpose for
which an organization should manage its supply chain’s business continuity capabilities and
that to, on its own. Although a loose reference to address this concern was made at the end of
clause 8.3.1 which stated:
“An organization should conduct evaluation of the business continuity capabilities of its
suppliers.”
Business Impact Analysis - BIA (Sub Clause - 8.2.2)
The new version now highlights the requirements to define “impact types and criteria” which
are pertinent with the organization’s context and can be used for assessment of impact with
changes in time.
The upcoming version of ISO 22313 (which is published in early 2020) contains different
examples of impact types such as Financial impact, Reputation impact, Legal Impact,
Regulatory Impact and Operational Impact. (Keeping in mind that it is not the complete list
of impacts listed in ISO 22313). These concepts are not knew and many organizations
already consider them in their Business Impact Analysis (BIA) and other risk management
methods.
Explanation on Business Continuity Capabilities of Suppliers
Although mentioned with clarity, the statement in the standard is sort of a vague sentence
which can be interpreted into various ways without being any specific “requirement”
attached with it and without any further details.
The new ISO 22301:2019 is not anymore specific (clause 8.6 C can be looked upon for
reference) but it does contain a detailed document, ISO 22318 - "Societal Security-Business
continuity management systems - Guidelines for supply chain continuity” which
contains additional and detailed information regarding this problem.
Explanation on BIA Supplementary Information
Therefore, this change discussed above, should be considered as a clarification rather than a
new addition or requirement. Some ISO 22301 users should now ensure that their BIA and
other risk management methodologies reflect this clause. They can have a look at ISO 22317
Societal security - Business continuity management systems - Guidelines for business
impact analysis (BIA) for further information.
Use of BIA analysis is to determine the prioritized tasks. In this regard, (Clause 8.2.2: G &
H) only extend to prioritize activities and tasks.
Previous references made to “risk appetite” have been omitted from the “Risk Assessment
Sub Clause - 8.2.3 (although it is still present to some extent in Context Sub Clause - 4.1 &
Note and Strategies Sub Clause - 8.3.3). This decision was taken because ISO 31000 Risk
Management – Guidelines no longer refers to risk appetite.
Solutions Implementation (Sub Clause - 8.3.5)

Implement and maintain selected business continuity solutions so that they can be activated
when needed.
Although this may sound explicit, but many of the organizations are already reviewing their
strategies and where their application can be done as their businesses mature or change and
also making further changes in them as per the requirements.
Clause - 8.4)
This section proves to be of interest for both the system implementer and the auditor as it
contains some subtle differences which need to be addressed, maybe for the first time. The
wordings of the standard focusing on the business continuity plans and procedures shall;
• Be written in such a way that one or more teams should be responsible to address the
disruptions.
• “Relationship” between the teams should be well addressed along with their roles and
responsibilities.
• Each team must be able to identify personnel from different teams including those who are
alternates and state responsibility, authority and competence designated for a specific role.
• Details that address the management of immediate after-effects of an undesirable event.
(Should also include management of impacts on environment).
• Each plan should include a process in case of a resignation. (This was already mentioned on
the collective list in Clause 8.4.4 g).
• Each plan should be made in such a way that it can be put to use at any time and any place
as per the requirement.
Business Continuity Strategy (Sub Clause - 8.3)
This term is now changed to “Business continuity strategy and solutions.” A single or a
number of solutions can be used to form new strategy. It is the same old stuff and readers
should not confuse themselves with change in terminology. An example to understand can be
given as implementation of a certain strategy surrounded by a presence of a solution which
can be used to find an alternative location for the company’s new office or use of a contract
with a third party. Another change made is the extension of “logistics” in Resource
Requirements; Transportation (Clause 8.3.4 f).
Explanation of BC Plans (Sub Clause - 8.4) for Audits
Is there a need that organizations should review and make adequate changes in your Business
Continuity Management Systems (BCMS) arrangements so that these requirements are
addressed clearly.
For instance, consider the word “relationship.” How will you describe them to your auditor?
Sub Clause - 8.4.2.2 says "The roles and responsibilities of each team and the
relationships between the teams shall be clearly stated."
Exercise Program (Clause - 8.5)
Again, some new words have been added which require consideration. An organization now
should be competent enough along with having an ample knowledge and a confident team
which can work with the spirit of teamwork so that disruptive incidents can be addressed in a
good manner.
Expectation
The Standard is now expecting organizations to explore more and consider the different
aspects required for business continuity. One have to think of different ways through which
organization can demonstrate in front of an auditor who may like to see your compliance
with each requirement.
Performance Evaluation (Clause - 9)
Measurement and Monitoring (Clause - 9.1)
Different actions required to evaluate performance such as measurement, monitoring analysis
and evaluation itself now not only require identification of when monitoring and measuring
will be done but also that “who” will evaluate and analyze the results and when. This
accountability which was considered as an extra is now a requirement and may assist people
on focusing on their work more.
A reference made for the performance metrics has been removed but that doesn’t mean that
one should stop using those even if they have proved to be helpful for organizations.
Deficient performance could include non-conformity, near misses, false alarms, and actual
incidents.
Removal of Evaluation of Business Continuity Procedures
Performance evaluation now only focuses on the business continuity management system
and not on the business continuity documentation and capabilities with the cleaning of clause
requirements.
Way Forward for Conformance
ISO 22301:2019 requires companies to spot the changes which were not present within the
previous version. It also provides a broader view of business continuity management system.
A BCMS still requires to focus on the PDCA model as well as the timing. Hence it should be
kept in mind when one is developing BCMS and when to review and update it.
A Questionnaire from the Standard

An auditor will use the “list” of requirements in a standard to make a questionnaire. These
requirements are just like any checklist, and you should be able to show that you are
compliant enough with each “sub” requirement.
A competent auditor will be fully aware about which questions you have answered and which
have been unanswered, so prepare yourself accordingly.
Transitioning to ISO 22301:2019

If your organization is currently certified to the previous version of ISO 22301, you should
make the transition plan from ISO 22301:2012 to ISO 22301:2019 before 30th October, 2019
after which ISO 22301:2012 will no longer be valid.
BSI (British Standard Institution) has stated that it will continue to conduct audits against the
older version of ISO 22301 until 30 April 2021 so that you can get enough time to update and
align your system with ISO 22301:2019.
It should be noted here that all the certification bodies which are using the standard of ISO
22301:2012 should first transition themselves to the 2019’s version of ISO 22301 and their
transition should be accredited by the UKAS (UK’s National Accreditation Body) before
being able to offer certifications to their new clients to the latest version of the standard.
Steps to Follow for Transition

As an organization, one must do following:
• Gap analysis of current system versus the system needed by ISO 22301:2019
• Make a project plan based on the gaps to work on the gaps
• Implement the plan and fulfill all requirements that were not met previously
• Conduct an internal audit as per the new standard
• Conduct a management review as per the new standard
• Go for the transition audit with a certification body

Iso 23008

Uploaded by

Copyright:

Available Formats

Iso 23008

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 23008

Uploaded by

Copyright:

Available Formats

Module 1: Fundamentals of Business Continuity Management Systems (BCMS)

ISO 27301 can be applied to any private, governmental or non-governmental organization

It is defined in ISO 22301 as "capability of an organization to continue the delivery of

It is defined in ISO 22301 as "documented information that guides an organization to

It is defined in ISO 22301 standard as "outcome of a disruption affecting objectives."

It is defined in ISO 22301 standard as "effect of uncert

To outsource, according to ISO 22301:2019 is to "make an arrangement where an external

ISO or International Organization for Standardization is an international organization for

It is currently headquartered in Geneva, Switzerland. The purpose of this organization is to

The basic changes in the new standard are:

Different actions required to evaluate performance such as measurement, monitoring analysis

ISO 22301:2019 Review & Changes

ISO or International Organization for Standardization is an international organization for

Review of ISO 22301 and the New Publication

ISO 22301:2019 - Changes and Updates

The basic changes in the new standard are:

Overview of the Main Auditable Clauses

ISO 22301:2019 - Summary of Changes in Main Clauses

Clause 4 – Understanding the Organization and Its Context

Addressing Change (Clause - 6.3)

Operation (Clause - 8) - Business Continuity Capabilities of Suppliers

Solutions Implementation (Sub Clause - 8.3.5)

A Questionnaire from the Standard

Transitioning to ISO 22301:2019

Steps to Follow for Transition

You might also like