Business Continuity

Management Systems (BCMS)

Security and Resiliance
ISO 2 2 3 01 : 2 01 9
 Business Continuity Management
Systems
Context of the
organization

Performance evaluation
Leadership and Improvement

Planning
Operation

Support
 O L P S O E
ORGANIZATION LEADERSHIP PLANNING SUPPORT OPERATION EVALUATION
• Understanding the • Leadership and • Actions to address • Resources • Operational • Monitoring,
organization and commitment risks and • Competence planning and measurement,
its context • Policy opportunities • Awareness control analysis and
• Understanding the • Roles, • Business • Communication • Business impact evaluation
needs and responsibilities continuity • Documented analysis and risk • Internal audit
expectations of and authorities objectives and information assessment • Management
interested parties planning to • Business review
• Determining the achieve them continuity • Nonconformity
scope of the • Planning changes strategies and and corrective
business to the business solutions action
continuity continuity • Business • Continual
management management continuity plans improvement
system system and procedures
• Business • Exercise
continuity programme
management • Evaluation of
system business
continuity
documentation
and capabilities
 Context of the Organization

Determine external and internal issues that are relevant to

its purpose and that affect its ability to achieve the Understanding the organization and its context
intended outcome(s) of its BCMS.
• Events such as earthquakes, floods, hurricanes, or
wildfires can disrupt operations and infrastructure.
• Cybersecurity incidents or data breaches can
compromise sensitive information and disrupt business
• Determine the interested parties and their
processes.
requirements that are relevant to the
BCMS;
Understanding the needs and expectations of interested parties • Implement and maintain a process to
identify, have access to, and assess the
• Investors applicable legal and regulatory requirements
related to the continuity of its products and
• Regulators services, activities and resources;
• Shareholders • Ensure that these applicable legal,
• Employees Interested parties regulatory and other requirements are taken
• Customers into account in implementing and
• Suppliers maintaining its BCMS;
• Competitors • Document this information and keep it up to
date.
Determining the scope of the business continuity management system
The organization shall determine the boundaries and
applicability of the BCMS to establish its scope. When
determining this scope, the organization shall consider
:
• the external and internal issues;
• the requirements of the interested parties;
• its mission, goals, and internal and external The organization shall establish, implement,
obligations maintain and continually improve a BCMS,
The organization shall establish the parts of the including the processes needed and their
organization to be included in the BCMS, taking into interactions, in accordance with the
account its location(s), size, nature and complexity requirements of this document.
and identify products and services to be included in • Develop a comprehensive business continuity
the BCMS. policy outlining the organization's commitment
to maintaining critical functions during
disruptions
• Execute regular risk assessments and
business impact analyses to identify potential
threats and vulnerabilities

Business continuity management system

 Leadership
Leadership and commitment P olicy Roles, responsibilities and
authorities
Top management shall demonstrate
Top management shall establish a Top management shall ensure that
leadership and commitment with
business continuity policy that: the responsibilities and authorities
respect to the BCMS by ensuring :
• is appropriate to the purpose of for relevant roles are assigned and
• the business continuity policy and
the organization; communicated within the
objectives are established and are
• provides a framework for setting organization.
compatible with the strategic
business continuity objectives; Top management shall assign the
direction of the organization;
• includes a commitment to responsibility and authority for:
• the integration of the BCMS
satisfy applicable requirements; • ensuring that the BCMS
requirements into the
• includes a commitment to conforms to the requirements of
organization’s business
continual improvement of the this document;
processes;
BCMS • reporting on the performance of
• the resources needed for the
BCMS are available the BCMS to top management.
The business continuity policy
• the BCMS achieves its intended
shall:
outcome(s);
• be available as documented
• promoting continual improvement;
information;
• supporting other relevant
• be communicated within the
managerial roles to demonstrate
organization;
their leadership and commitment
• be available to interested
as it applies to their areas of
parties, as appropriate.
responsibility.
 Planning

Actions to address risks Business continuity objectives Planning changes to the

and opportunities and planning to achieve them BCMS
When planning for the BCMS, the The business continuity objectives When the organization determines
organization shal ldetermine the shall: the need for changes to the BCMS,
risks and opportunities that need to • be consistent with the business the changes shall be carried out in a
be addressed to: continuity policy; planned manner.
• give assurance that the BCMS • be measurable (if practicable);
can achieve its intended • take into account applicable The organization shall consider:
outcome(s); requirements • the purpose of the changes and
• prevent, or reduce, undesired • be monitored and communicated their potential consequences;
effects; • be updated as appropriate. • the integrity of the BCMS;
• achieve continual improvement. • the availability of resources;
When planning how to achieve its • the allocation or reallocation of
The organization shall plan: business continuity objectives, the responsibilities and authorities.
• actions to address these risks organization shall determine:
and opportunities; • what will be done;
• how to integrate and implement • what resources will be required;
the actions into its BCMS • who will be responsible;
processes and evaluate the • when it will be completed;
effectiveness of these actions • how the results will be evaluated.
 Support

DOCUMENTED
RESOURCES COMPETENCE AWERENESS COMMUNICATION
INFORMATION
The organization shall : • The organization’s BCMS
• The organization shall Persons doing work under The organization shall
determine and provide the
• determine the necessary the organization’s control determine the internal and shall include documented
competence of person(s) shall be aware of : information required by
resources needed for the external communications
doing work under its • the business continuity this document and
establishment, relevant to the BCMS,
control that affects its policy determined by the
implementation, including :
business continuity • their contribution to the organization as being
maintenance and • on what it will
performance effectiveness of the necessary for the
continual improvement of communicate;
the BCMS
• ensure that these BCMS, including the • when to communicate; effectiveness of the
persons are competent benefits of improved BCMS.
• with whom to
on the basis of business continuity • When creating and
communicate;
appropriate education, performance; updating documented
• how to communicate;
training, or experience; • the implications of not information the
• who will communicate.
• where applicable, take conforming with the organization shall ensure
actions to acquire the BCMS equirements; appropriate identification
necessary competence, • their own role and and description, format
and evaluate the responsibilities before, and media, review and
effectiveness of the during and after approval for suitability
actions taken; disruptions and adequacy.
• retain appropriate
documented information
as evidence of
competence
 Operation

Operational planning and control

The organization shall plan, implement and control the processes needed to meet requirements, and to implement
the actionsc, by :
• establishing criteria for the processes;
• implementing control of the processes in accordance with the criteria;
• keeping documented information to the extent necessary to have confidence that the processes have been
carried out as planned

Business impact analysis and risk assessment

The organization shall :
• implement and maintain systematic processes for analysing the business impact and assessing the risks of
disruption;
• review the business impact analysis and risk assessment at planned intervals and when there are significant
changes within the organization or the context in which it operates
 Business impact analysis
The organization shall use the process for analysing business impacts to determine business continuity priorities
and requirements:
• define the impact types and criteria relevant to the organization’s context
• identify the activities that support the provision of products and services;
• use the impact types and criteria for assessing the impacts over time resulting from the disruption of these
activities;
• identify the maximum tolerable period of disruption (MTPD) within which the impacts of not resuming activities
would become unacceptable to the organization;
• set prioritized recovery time objective (RTO) within the time identified in MTPD for resuming disrupted activities
at a specified minimum acceptable capacity;
• use this analysis to identify prioritized activities;
• determine which resources are needed to support prioritized activities
• determine the dependencies, including partners and suppliers, and interdependencies of prioritized activities.

Risk assessment
The organization shall :
• identify the risks of disruption to the organization’s prioritized activities and to their required resources;
• analyse and evaluate the identified risks;
• determine which risks require treatment.
Business continuity strategies and solution

Identification of strategies and solutions Selection of strategies and solutions

• meet the requirements to continue and recover • meet the requirements to continue and recover
prioritized activities within the identified time prioritized activities within the identified time
frames and agreed capacity; frames and agreed capacity;
• protect the organization’s prioritized activities • consider the amount and type of risk the
and reduce the likelihood of disruption; organization may or may not take;
• shorten the period of disruption and limit the • consider associated costs and benefits.
impact of disruption on the organization’s
products and services;
• provide for the availability of adequate resources.

Resource requirement Implementation solutions

The types of resources considered shall include,
but not be limited to: The organization shall implement and
• people, information and data; maintain selected business continuity
• physical infrastructure such as buildings, solutions so they can be activated when
workplaces or other facilities and associated needed
utilities;
• equipment and consumables, information and
communication technology (ICT) systems;
• transportation and logistics, finance, suppliers
Business continuity plan and procedures
The organization shall identify and document business continuity plans and procedures based on the
output of the selected strategies and solutions.The procedures shall:
• be specific regarding the immediate steps that are to be taken during a disruption;
• be flexible to respond to the changing internal and external conditions of a disruption;
• focus on the impact of incidents that potentially lead to disruption;
• be effective in minimizing the impact through the implementation of appropriate solutions;
• assign roles and responsibilities for tasks within them

Response Structure
The organization shall implement and maintain a structure, identifying one or more teams
responsible for responding to disruptions.The roles and responsibilities of each team and
the relationships between the teams shall be clearly stated.
The teams shall be competent to:
• assess the nature and extent of a disruption and its potential impact;
• assess the impact against pre-defined thresholds that justify initiation of a formal
response and activate an appropriate business continuity response;
• plan actions that need to be undertaken and establish priorities (using life safety as the
first priority)
• monitor the effects of the disruption and the organization’s response;
• activate the business continuity solutions;
• communicate with relevant interested parties, authorities and the media.
• identified personnel and their alternates with the necessary responsibility, authority and
competence to perform their designated role;
 Warning and communication
The organization shall document and maintain procedures for:
• communicating internally and externally to relevant
interested parties, including what, when, with whom and
how to communicate
• receiving, documenting and responding to
communications from interested parties, including any
national or regional risk advisory system or equivalent;
• ensuring the availability of the means of communication
during a disruption;facilitating structured communication
with emergency responders;
• providing details of the organization’s media response
following an incident, including a communications
strategy;
• recording the details of the disruption, the actions taken
and the decisions made
• alerting interested parties potentially impacted by an
actual or impending disruption;
• ensuring appropriate coordination and communication
between multiple responding organizations.
 Business continuity plan
The organization shall document and maintain business continuity plans and procedures.
The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to
assist the organization with response and recovery, contain :
• details of the actions that the teams will take in order to continue or recover prioritized activities within
predetermined time frames and monitor the impact of the disruption and the organization’s response to it
• reference to the pre-defined threshold(s) and process for activating the response;
• procedures to enable the delivery of products and services at agreed capacity;
• details to manage the immediate consequences of a disruption giving due regard to the welfare of individuals; the
prevention of further loss or unavailability of prioritized activities and the impact on the environment

• the purpose, scope and objectives;

• the roles and responsibilities of the team that will implement the plan;
Each plan
• actions to implement the solutions;
shall include: • supporting information needed to activate (including activation criteria),
operate, coordinate and communicate the team’s actions;
• internal and external interdependencies;
• the resource requirements;
• the reporting requirements;
• a process for standing down

The organization shall have documented processes to restore and return business activities from the
temporary measures adopted during and after a disruption.
Exercise programme Evaluation of business continuity
The organization shall conduct exercises and tests that: documentation and capabilities
• are consistent with its business continuity
objectives; The organization shall:
• are based on appropriate scenarios that are well • evaluate the suitability, adequacy and effectiveness
planned with clearly defined aims and objectives; of its business impact analysis, risk assessment,
• develop teamwork, competence, confidence and strategies, solutions, plans and procedures;
knowledge for those who have roles to perform in • undertake evaluations through reviews, analysis,
relation to disruptions; exercises, tests, post-incident reports and
• taken together over time, validate its business performance evaluations;
continuity strategies and solutions; • conduct evaluations of the business continuity
• produce formalized post-exercise reports that capabilities of relevant partners and suppliers;
contain outcomes, recommendations and actions to • evaluate compliance with applicable legal and
implement improvements; regulatory requirements, industry best practices,and
• are reviewed within the context of promoting conformity with its own business continuity policy and
continual improvement; objectives;
• are performed at planned intervals and when there • update documentation and procedures in a timely
are significant changes within the organization or manner
the context in which it operates. These evaluations shall be conducted at planned
The organization shall act on the results of its exercising intervals, after an incident or activation, and when
and testing to implement changes and improvements significant changes occur
 Performance Evaluation

Monitoring, measurement, analysis and evaluation

The organization shall determine:
• what needs to be monitored and measured;
• the methods for monitoring, measurement, analysis and evaluation,
as applicable, to ensure valid results;
• when and by whom the monitoring and measuring shall be performed;
• when and by whom the results from monitoring and measurement
shall be analysed and evaluated.
The organization shall retain appropriate documented information as
evidence of the results.
The organization shall evaluate the BCMS performance and the
effectiveness of the BCMS

Internal Audit
The organization shall conduct internal audits at planned intervals to provide
information on whether the BCMS:
conforms to:
• the organization’s own requirements for its BCMS;
• the requirements of this document;
is effectively implemented and maintained
 Management review input
The outputs of the management review shall
The management review shall include consideration of: include decisions related to continual
• the status of actions from previous management improvement opportunities and any need for
reviews changes to the BCMS to improve its efficiency
• changes in external and internal issues that are and effectiveness, including the following:
relevant to the BCMS; • variations to the scope of the BCMS;
• information on the BCMS performance, including • update of the business impact analysis, risk
trends in nonconformities and corrective actions, assessment, business continuity strategies
monitoring and measurement evaluation results, and solutions, and business continuity plans;
audit results; • modification of procedures and controls to
• feedback from interested parties; Management respond to internal or external issues that
• the need for changes to the BCMS, including the may impact the BCMS;
policy and objectives;
review
• how the effectiveness of controls will be
• procedures and resources that could be used in the measured
organization to improve the BCMS’ performance and The organization shall retain documented
effectiveness; information as evidence of the results of
• information from the business impact analysis and management reviews. It shall:
risk assessment; • communicate the results of the management
• output from the evaluation of business continuity review to relevant interested parties;
documentation and capabilities; • take appropriate action relating to those
• risks or issues not adequately addressed in any results
previous risk assessment;
• llessons learned and actions arising from near- Management review output
misses and disruptions;
• opportunities for continual improvement
The organization shall determine
opportunities for improvement and
implement necessary
actions to achieve the intended outcomes of
its BCMS.
When a nonconformity occurs, the The organization shall retain
organization shall: documented information as evidence
• react to the nonconformity, and, as of:
applicable: • the nature of the nonconformities
• take action to control and correct it; and any subsequent actions taken;
• deal with the consequences • the results of any corrective action
• evaluate the need for action to eliminate
the cause(s) of the nonconformity, in Continual improvement The organization shall continually
order that it does not recur or occur improve the suitability, adequacy and
elsewhere, by effectiveness of the BCMS,
• reviewing the nonconformity; based on qualitative and quantitative
• determining the causes of the measures.
nonconformity; The organization shall consider the
• determining if similar nonconformities results of analysis and evaluation, and
exist, or can potentially occur the outputs from management review,
• implement any action needed; to determine if there are needs or
• review the effectiveness of any corrective opportunities, relating to the business,
action taken; or to the BCMS, that shall be
• make changes to the BCMS, if addressed as part of continual
necessary improvement
Bibliography
[1] ISO 9001, Quality management systems — Requirements
[2] ISO 14001, Environmental management systems — Requirements with guidance for use
[3] ISO 19011, Guidelines for auditing management systems
[4] ISO/IEC/TS 17021-6, Conformity assessment — Requirements for bodies providing audit and certification of management
systems — Part 6: Competence requirements for auditing and certification of business continuity management systems
[5] ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements
[6] ISO 22313, Societal security — Business continuity management systems — Guidance
[7] ISO 22316, Security and resilience — Organizational resilience — Principles and attributes
[8] ISO/TS 22317, Societal security — Business continuity management systems — Guidelines for business impact analysis (BIA)
[9] ISO/TS 22318, Societal security — Business continuity management systems — Guidelines for supply chain continuity
[10] ISO/TS 22330, Security and resilience — Business continuity management systems — Guidelines for people aspects of
business continuity
[11] ISO/TS 22331, Security and resilience — Business continuity management systems — Guidelines for business continuity
strategy
[12] ISO/IEC 27001, Information technology — Security techniques — Information security management systems — equirements
[13] ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology
readiness for business continuity
[14] ISO 28000, Specification for security management systems for the supply chain
[15] ISO 31000, Risk management — Guidelines
[16] IEC 31010, Risk management — Risk assessment techniques
[17] ISO Guide 73, Risk management — Vocabulary
Copyright International Organization for Standardization © ISO 2019 – All rights reserved 21 Provided by IHS Markit under license
with ANSI Lice