Since its founding in the aftermath of World War II, the independent International Organization for Standardization (ISO), based in Geneva, Switzerland, has developed nearly 30,000 voluntary, consensus-based, market-relevant international standards that are vital to organizations that participate in the global marketplace. In 2012, it published ISO 22301, the international standard for business continuity management (BCM) in order to harmonize and align with several prior national standards and ISO standards

ISO 22301 is the first ISO standard focused on business continuity. It complements the disciplines noted in ISO 27031 for IT disaster recovery. The ISO 27000 Series is a broad family of standards focused on information security. Specifically, ISO 27031 is a specialist standard that addresses business continuity. ISO 22301 then takes over the detailed activity from there. It provides a practical framework for setting up and managing an effective business continuity management system, aiming to safeguard any organization from a wide range of potential threats and disruptions.

Make it a priority

jenga risk security
– Thinkstock / BrianAJackson

Obtaining ISO 22301 certification should be high on the priority list of organizations that need to demonstrate to their stakeholders that they can rapidly overcome operational disruptions to provide continued and effective service. The certification process includes four essential steps:

  1. Designing, developing, and implementing a business continuity management system (a 15-step process to build the BCM system is outlined here).
  2. Interviewing and selecting accredited registrar (UKAS, ANAB, or equivalent).
  3. Conducting stage one (remote) and stage two (onsite) audits, making corrective action requests fully and promptly to ensure that compliance and effectiveness of the remedy is demonstrated.
  4. Obtaining certification, then preparing for the first surveillance audit.

Achieving ISO 22301 certification puts the organization within a unique group of companies committed to business resilience, so it should be celebrated.

The process also enables BCM managers to engrain the business continuity discipline across their enterprises. It not only allows you to obtain a better understanding of your organization, but also implement a business continuity strategy with proper response tactics. Ultimately, you will be able to better drive alignment of resilience capabilities in parallel with key management initiatives that drive continual improvement.

But like anything that’s worth doing, there will be challenges to overcome on the road to ISO 22301 certification.

Getting management buy-in may be the biggest challenge, especially when costs are considered. A carefully prepared cost-benefit analysis is essential. You should demonstrate the value in the business terms that management understands. Consider the costs of a major business disruption – lost revenue, lost market share, reputational damage, to name a few. Demonstrate how an ISO certified BCM system will mitigate or eliminate those costs.

Best practices

Some best practices in gaining management buy-in for an ISO 22301 certification program include:

  • Ensuring participation of key process owners.
    People have a lot to do and don’t like to complete mundane tasks such as filling out business impact analysis information. The best way to avoid apathy is to automate the collection of this data and make it easy for users to populate this information in an easy-to-use system. Then make sure they understand how they can use this information productively. Sell the benefits of the business impact analysis to the process owner by helping them find ways to improve their program.
  • Provide the necessary resources:
    Demonstrate the business value of ISO certification in business terms (i.e. days sales, outstanding creep, revenue loss, delay penalties, premium freight cost, reputational risk and ultimate loss of the business).
  • Make sure everything is covered in the risk analysis and business impact analysis.
    Utilize a structured methodology to identify risks and their impacts on the business.
  • Avoid silos.
    Make sure your methodology includes every department within your organization to demonstrate the risks and business impacts on the entire enterprise.
  • Make the program easy to understand.
    No need to dissect each clause to each staff member. Keep your focus the key steps to implementation of your BCM and ISO 22301 certification.
  • Appoint a business continuity champion and give him or her the access to senior leadership to evangelize.
    Include senior management in high level business continuity management awareness events and desktop exercises.

In short, by undertaking ISO 22301 certification you will obtain a better understanding of your organization and learn how to engrain the business continuity discipline across your enterprise. The ongoing surveillance of your business continuity systems will foster a spirit of continual improvement that complements other management programs. You will drive the alignment of your organizations’ resilience capabilities in parallel with key management initiatives and business digital transformation. And, your enterprise will join a unique group of companies committed to business continuity and resiliency.