ISO 22301 is a standard set up to plan, create, communicate, monitor, and maintain requirements for a management system to recover from incidents that may be exposed to the organization and prevent it from doing business.
ISO 22301 is a management system that is applicable to all organizations independent of the size, organization and sector of the organization. The scope to be determined by the organization is unique and depends on the organization’s structure, working environment and complexity.
Why apply ISO 22301 Business Continuity Management system?
Each organization may want to apply business continuity for different reasons. In successful applications, the organization knows that it will benefit and shows the determination accordingly.
• Observing performance based on metrics for business continuity,
• Determination of requirements for business continuity,
• Preparing appropriate business plans and making preparations for threats
• Ensuring realistic and appropriate use of resources to ensure business continuity ISO 22301 Business Continuity Management System is a framework that organizations from different sectors, scales and complexities can successfully implement.
• Planning, creating, implementing and maintaining the Business Continuity Management System,
• Compliance with the business continuity principle determined by the organization,
• To show the business continuity structure to other parties,
• Certification by an accredited body
• It aims to declare its compliance with the requirements of this standard to its business partners.
ISO 22301: 2012 Basic Sections
The standard clauses of ISO 22301 are regulated according to ISO Guide 83. These sections;
Article 4: Organization
Article 5: Leadership
Article 6: Planning
Article 7: Support
Article 8: Application
Article 9: Performance evaluation
Article 10: Improvement
Article 4: Organization
In order for the organization to achieve its Business Continuity purpose, it is necessary to evaluate the internal and external elements related to its operation.
The latent effect of destructive events related to the activities, functions, services, products, organizations, supply chains and relationships of the organization,
The link between business continuity policy and the company’s objectives, objectives and other policies, including general risk management strategies,
The degree to which the organization is vulnerable to risks. Deficiencies in the sector or structure.
Expectations and requirements of interested parties,
Laws, regulations and other requirements that the organization has to implement,
In determining the scope of business continuity, strategic objectives, main products and services of the organization, risk tolerance, legal and contractual sanctions should be evaluated in this section.
Article 5: Leadership
Senior management should demonstrate continuous support and commitment to fulfill the requirements of the Business Continuity Management System. Management should ensure that the organization uses resources to meet the objectives and objectives of the organization.
Responsibilities of senior management;
• To ensure that the ISMS is compatible with the strategic objectives of the organization,
• Integrating the ISMS requirements with the business processes of the organization,
• To provide the necessary resources for ISYS,
• Communicate the importance of effective Business Continuity management to relevant parties,
• The achievements of ISMS meet the expected results
• Directing and supporting continuous development,
• Establishing and communicating business continuity policy,
• Development of ISYS plans
• Identifying the necessary responsibilities and authorizing them,
Article 6: Planning
This article describes what should be included in the planning to be implemented in order to implement a successful business continuity structure in the organization. The objective of ISMS is to meet defined risks by the organization. The subjects that the business continuity objectives must meet;
• Be consistent with the business continuity policy,
• Minimizing the products and services required to achieve the objectives of the organization,
• Measurability,
• Taking into account the current requirements of the organization,
• Appropriate monitoring and updating,
Article 7: Support
Effective business continuity management is achieved by providing the necessary resources continuously and at every application stage. These resources include the presence of trained and qualified employees, raising awareness and establishing a communication environment. This support should be supported by a properly managed documentation system.
The two internal and external forms of communication of the organization, including the content and timing of the communication, should be discussed in this section.
The requirements for creating, updating and controlling the documentation are specified in this section.
Article 8: Application
This is the stage where the plans for the realization of business continuity are implemented. The content of this section;
Business Impact Analysis (BIA): Business impact analysis aims to determine the dependency of key products and services that are critical to the lowest acceptable level of the organization’s critical processes.
Risk audit: The ISO 22301 standard refers to the ISO 31000 Risk Management Standard for the operation of this process. The objective of this requirement is to document documented definitions, analyses and assessment of risk-forming elements in the organization to establish, implement and maintain the risk audit process.
Business Continuity Strategy: In the light of the results obtained in line with the results of the business impact analysis and risk audit, strategies should be developed to prevent threats to the critical processes of the organization.
Experience and best practices can help create strategies with appropriate indicators to ensure the business continuity of the organization. Business continuity strategy should be an integral part of an organization’s corporate strategy.
Business Continuity Procedure: The organization should document the methods to ensure business continuity against incidents that may harm business continuity. These methods;
• Determining appropriate internal communication rules,
• Application steps to be made in case of an interruption,
• Flexible structure against changing internal and external conditions in the face of unexpected threats
• Focus on the impact of potential disruptive practices,
• Development of independently determined assumptions and analyses,
• Include appropriate mitigation and risk reduction.
Testing and Testing: To ensure that business continuity procedures are consistent with business continuity objectives, the organization must regularly test these procedures. The validity of the tests and tests, business continuity plans should be questioned, and the results obtained in the desired time periods in line with the selected strategies should be at the level accepted by the management.
Article 9: Performance evaluation
Business Continuity After the management system is established, the system should be monitored at certain time intervals to improve it. Topics to be observed are;
• Meeting the scope, policy and objectives of business continuity,
• Measuring the performance of actions of processes, methods and functions,
• Monitoring compliance with ISO 22301 standard and business continuity targets,
• To monitor missing ISYS performance by performing internal audits at planned intervals,
• Reviewing the management system at planned intervals
Article 10: Improvement
Continuous improvement is the activities carried out in order to increase the safety and efficiency of the business continuity processes in the organization in order to increase the benefit of the institutions and stakeholders.
The organization may increase the effectiveness of the management system through its business continuity policy, objectives, audit results, analysis of observed events, improvement of indicators, corrective and preventive actions, and management review effectiveness.