IT GOVERNANCE | GREEN PAPER

Business Continuity
and ISO 22301

Preparing for disruption

www.itgovernance.eu

00 800 48 484 484

Introduction The foundations of a BCMS
The extreme events of recent years with wide-reaching business disruption, including COVID-19 Some of the key elements of ISO 22301, and business continuity management in general, are:
lockdowns and the 2021 Suez Canal obstruction, have made organisations look at business
• Risk assessment;
continuity planning with fresh eyes.
• Business impact analysis (BIA);
While few organisations are truly prepared for black swan events – for they are, by their very • Business continuity solutions and strategies; and
nature, unpredictable – organisations can and should be prepared for more commonplace incidents
• Business continuity plans (BCPs).
such as fires and floods, and the subsequent unplanned office closures and/or staff being unable to
travel.
Risk assessment
However, as common as business continuity plans (BCPs) might be, it is almost as common for Naturally, to make informed decisions about how and when to continue key business functions, you
those plans to be metaphorically (and sometimes literally) gathering dust somewhere. As a result, should first consider what scenarios might disrupt them. Determining these is a key output of the
staff are not familiar with them, so will not know what actions they are expected to take if an risk assessment. The risk assessment also establishes how likely these disruptive scenarios are, and
incident happens. In any case, there is little guarantee those plans will work, as more often than how severe their impact might be.
not, they are out of date, untested, or both.
Ultimately, risk exposure is about the combination of impact – how serious an incident would be if
In any organisational endeavour, a key component of success is that you can operate without being it occurred – and how likely that occurrence is. This combination gives a risk ‘score’, which can be
interrupted by unforeseeable factors (or, for that matter, foreseeable factors). To do this, you need compared to the organisation’s risk acceptance criteria (these are different for every organisation,
to develop an array of contingencies to ensure that resources and productivity are not disrupted by depending on its nature and size).
everyday events.
If the risk score is low, you may choose to not do anything about it, thus accepting its existence. If
However, everyday events are one thing. Significant disruptive incidents, especially on a global the risk falls outside the acceptance criteria, you should take action. This could be an extreme
scale, are quite another. Most contingencies are developed on an intuitive basis and are intended response, such as suspending an activity altogether, or it could be something more moderate, such
to deal with short-term problems. When the problems are longer term, or of a scale or nature not as taking out insurance or providing backups.
anticipated by the designer, they often fall short of what is needed to ensure continued operation,
putting the organisation at significant risk.
Business impact analysis
The BIA, alongside the risk assessment, is the most critical process involved in a BCMS (and business
Business continuity management continuity management in general). It is used to identify an organisation’s critical business activities,
Business continuity management (often referred to as ‘BCM’) is a systematic process of risk and how severe the business impact would be if those activities were disrupted.
management and planning designed to ensure that an organisation can quickly return to an
acceptable level of service after a disruption, whatever its nature. It is about guaranteeing the From that, the BIA determines how quickly, in what order, and what resources you need to restore
organisation’s survival, even in the face of the unexpected, by ensuring the most critical business them to minimum functionality or availability in the event of a disruption. However, it does not
functions continue to operate – even if at reduced capacity – while you attend to the disruption. concern itself with what those incidents might be (which is a risk assessment output).

The most comprehensive way to ensure your organisation returns to business as usual as quickly as The BIA outputs – especially what your critical business activities are and their recovery time
possible in the event of a disruption is to implement a business continuity management system objectives and priorities – provide key information for your BCPs.
(BCMS), preferably aligned to its international standard, ISO 22301.

This green paper will discuss the fundamentals of best-practice business continuity management, as
well as our nine-step approach to implementing ISO 22301.

IT GOVERNANCE | GREEN PAPER 02

Business continuity solutions and strategies Business continuity plans
From the risk assessment and BIA outputs, you can consider business continuity solutions for As mentioned earlier, BCPs are probably the most common business continuity management aspect
before, during and after a disruption, with a view to: that organisations tend to have, but are often not as valuable or effective as they should be.
• Meeting your requirements and objectives;
BCPs should be developed on the basis of your business continuity strategy, which in turn should be
• Protecting your critical business activities; developed on the basis of your risk assessment and BIA outputs, and the business continuity
• Maintaining access to key resources in the event of a disruption; solutions you selected.
• Reducing the likelihood of a disruption; and
Your BCPs should also be clear and specific, directly refer to the predefined thresholds for activating
• Reducing the impact of a disruption, should it occur. each plan, and set out when the plan can be deactivated, how reporting is conducted, the roles and
To cover all these points, you will need multiple solutions – a single solution will not achieve all the responsibilities of people involved in deploying the plan, and any supporting information necessary.
above. However, one solution can work for different types of disruption – for example, remote Furthermore, the plans should be accessible to all those who will need to use them when activated,
working technologies are a solution for site closures (whether due to a fire, flooding, a natural so be sure to communicate them effectively to whoever needs to know what is expected of them.
disaster or government-imposed lockdown) as well as for a train strike that prevents a meaningful
number of staff from getting to the workplace. When deciding on the areas your BCPs should cover, develop several broad scenarios for which
responses are likely to be similar to save time and effort. You might, for example, prepare plans for
You should also identify multiple solutions so you can take different approaches to recovering the the following types of disruption:
same activity. This ensures you can appropriately respond to different types of disruption. For • Major site or premises incidents (fires, floods, and so on).
example, on-site production can be disrupted because of a train strike, which usually lasts a few
• Information and communications system failures.
days at most and does no damage to the production site itself. However, on-site production can
also be disrupted by major flooding, which can take weeks to fully clear up, and prevent staff from • Supply chain failures.
coming in as well as damage the site and resources on it. • Pandemics and similar scenarios.

The same business activities may be affected, but the implications of the disruption are very This approach has a good balance of focus, so you do not end up with one large, unwieldy plan, and
different, and require different solutions as part of your response. Going back to the earlier efficiency, combining scenarios where it is practical to do so.
example, remote working technologies can help keep your business going to begin with, but while
your primary site is being restored (which in itself will require a range of recovery solutions) you
may need to take steps to temporarily migrate to another site – another solution you should
prepare.

As you combine solutions, you are effectively building your response strategies. Your strategy
should detail the solutions you will use, and at what stage of the disruption (before, during or after)
you will use them. This will provide the outline for your BCPs.

IT GOVERNANCE | GREEN PAPER 03

Our nine-step approach Step 4: Management framework
The management framework – the structure of processes essential for an effective BCMS – looks at
the broader features of the management system:
This section takes you through our tried-and-tested, step-by-step approach to implementing an ISO
22301-compliant BCMS. • The context of the organisation – its circumstances, objectives and requirements – which
should be established at the outset.

Step 1: Project mandate • Key ‘foundation’ processes – leadership, planning and support – requiring you to identify and
take into account the needs of interested parties.
The first stage in any major project should be to ensure that the project has support from the very
top. Senior management or the board are unlikely to commit to a project that has not been The management framework must also formalise key arrangements, including the necessary
defined, so this step will involve defining the scope of the BCMS and producing a business resources, communication and awareness strategies, and competence requirements.
continuity policy that reflects your organisation’s needs and objectives.
Step 5: Risk assessment and BIA
Step 2: Project initiation These processes – discussed in more detail in The foundations of a BCMS – are pivotal to the BCMS
With the project approved, the project leader can begin to develop the BCMS from the information and the basis upon which effective resilience and recovery capabilities are built.
established in step 1. The nascent project should be developed to ensure that both it and the BCMS
are capable of achieving their objectives. Part of this will involve defining the project plan, key Step 6: Business continuity strategy and plans
deliverables and delivery dates, which will allow the organisation to keep track of milestones and Each business continuity strategy should comprise multiple solutions, which should be selected
ensure the project is delivered on time, as intended and within budget. based on your risk assessment and BIA outputs. Business continuity solutions and strategies
discusses this in more detail.
Step 3: BCMS initiation
Once the project has been initiated, the BCMS itself can be started. This stage involves listing the The strategies you develop will form the outlines of your BCPs, which are discussed further in
requirements of each BCMS process and the tasks needed to develop and implement them. These Business continuity plans.
will relate directly to the principal stages in the project plan and inform the assignment of the tasks
required to execute the plan. Step 7: Implementation
This phase involves implementing the processes for incident detection; alerting and escalation;
One of the key elements of this will be establishing the Plan–Do–Check–Act (PDCA) process model response and communication; recovery or continuity of business activities; and final resumption of
for the BCMS, ensuring its processes can be run, evaluated and amended to meet the organisation’s a business-as-usual state. Crucially, these processes must be documented so that anyone who
requirements on an ongoing basis. Part of the BCMS initiation will also involve establishing the needs to be involved can follow them through.
documentation structure.
Of course, these procedures must be validated before relying on them, so it is sensible to conduct
at least one exercise when implementing them, and repeating them at least annually, to establish a
minimum level of effectiveness. The same applies to BCPs: it is a good idea to test them upon
implementation and as an annual exercise to make sure that they are working as intended, as well
as ensure staff will know what to do, should an incident occur.

IT GOVERNANCE | GREEN PAPER 04

Step 8: Measure, monitor and review Conclusion
A critical element of ISO 22301 is that BCMS processes must be regularly and systematically
monitored, audited, assessed and reviewed. Over the life of the BCMS, these processes will ensure
Even the best-managed organisation can face major disruption out of its control – COVID-19 and
that the organisation remains capable of responding to and recovering from disruptions, and
the Suez Canal obstruction are good examples. It is therefore essential to plan to mitigate such
improve these capabilities where possible.
risks.
This stage involves designing these processes and putting them in place. The Standard divides them
Any structured, tested approach to business continuity management will help, but the best way to
into three elements:
demonstrate that you are managing the operational risks that could lead to business disruption is
1. Monitoring, measurement, analysis and evaluation to develop and implement a BCMS that meets the requirements of ISO 22301 and is, preferably,
Establishing a set of performance metrics and a process for continual monitoring and externally certified against the Standard.
measurement of the BCMS, its effectiveness, and that of the response and resilience
arrangements that the BCMS produces.
There will inevitably be implementation costs involved, whether you are implementing a full BCMS
2. Internal audit or just a few effective BCPs, but those costs will seem minor compared to the operational, financial
Regular independent inspection to confirm that processes are followed as described.
and perhaps reputational damage a disruption may cause. Real incidents should be rare, but that is
3. Management review not an excuse for being unable to act swiftly when the time comes.
Reviewing the process outputs – along with other relevant information – to assess the BCMS
against its objectives.

Step 9: Certification
The final stage is to seek external validation. This serves two key purposes:
1. It checks that the BCMS aligns with the Standard and best practice, which will give the
organisation the best chance of surviving disruption.
2. Certification allows the organisation to demonstrate this to partners, clients and other
stakeholders.
The certification audit will look for several things to determine whether the BCMS is worthy of ISO
22301 certification. There are a few things you can do to maximise your chances of passing:
Speak to an expert
• Your documentation is complete, comprehensive and available for the auditors to inspect.
• You have records of internal audits and testing to prove your BCMS is an active management
system that is subject to genuine continual improvement, as opposed to just a set of static
documents.
• Staff have thorough knowledge of the business continuity areas for which they are responsible.

IT GOVERNANCE | GREEN PAPER 05

The weekly round-up
Keeping you informed on the move
Subscribe today to receive a weekly email containing:
• Breaking news stories;
• The latest data breaches and hacks;
• Shareable security tips;
• Special offers; and
• The latest resources, including industry-leading books and tools.

Subscribe now

IT GOVERNANCE | GREEN PAPER 06

Useful business continuity resources
IT Governance offers a unique range of business continuity products and services, including standards, books, documentation packs and toolkits, staff awareness elearning and training courses.

ISO 22301:2019 Standard Validating Your Business Continuity Plan –

The international standard ISO 22301:2019 provides organisations with Ensuring your BCP actually works
the requirements to establish an effective BCMS that helps them prepare When disruption strikes, you need to know that your BCPs will work
for and minimise the impact of disruptions that could delay operations smoothly and consistently. This book explains why validating them is
and impact the objectives of employees, suppliers and customers. These essential to your organisation’s survival, and describes the components
are the same requirements an auditor will check your BCMS against to of a validation programme.
determine whether it is worthy of ISO 22301 certification.

ISO 22301 BCMS Toolkit Business Continuity Risk Management Pack

This documentation toolkit contains a complete set of easy-to-use, This documentation pack will enable you to develop BCPs tailored to
customisable and fully ISO 22301-compliant documentation templates your organisation’s individual risk appetite, and ensure your
that will save you time and money when implementing an effective organisation is fully prepared to recover critical business functions as
BCMS. The toolkit also contains convenient dashboards and gap analysis quickly as possible in the event of a disruption. The pack includes
tools, as well as direction and guidance from experienced business templates and guidance for conducting a risk assessment, developing a
continuity consultants. risk register and performing a BIA.

Business Continuity Staff Awareness E-learning Certified ISO 22301 BCMS Foundation Training
Course Course
Prepare your employees to respond to workplace disruptions with our This one-day course provides a comprehensive introduction to ISO
interactive, 45-minute business continuity elearning course. Teach your 22301:2019 and its requirements for an effective BCMS, including key
staff what business continuity is, how it is applied in your organisation, business continuity concepts, terms and definitions, and the principles of
and the key role they play. The course includes an assessment at the end BIA and risk assessment. As this is a Live Online course, you can take it
to test staff understanding, and tracks participation and test results. from anywhere with an Internet connection.

Business Continuity and the Pandemic Threat – Pandemic Business Continuity Plan Template
Learning from COVID-19 while preparing for Pandemics are by their nature widespread, indiscriminate and impossible
the next pandemic to prevent. Create your own pandemic BCP in minutes with our easy-to-
use, customisable template, developed by our expert business continuity
A must-have for facing the pandemic threat, this book reveals what you
practitioners. Areas covered within the template include a
should do to mitigate the risk and limit the damage, while designing
communications strategy, home/remote working, legal and contractual
suitable contingency measures.
obligations, and minimising the disruption to key products and services.

IT GOVERNANCE | GREEN PAPER 07

More free green papers
IT Governance publishes numerous free green papers – as well as many other resources, including webinars, infographics and case studies – on a wide range of topics. Here are two you might be interested in:

Business Impact Analysis – Step by step Cyber Security and Business Resilience – Thinking strategically
Want to learn more about BIA? This green paper discusses exactly what BIA is (and is not), Want to learn more about how business continuity can interact with cyber security? This
where BIA fits into your overall recovery strategy, and our six-step approach to conducting a green paper explains the value of thinking resiliently when it comes to security, and the value
BIA, including how to identify relevant business activities, analyse the impact over time and of incorporating business continuity elements into your cyber defences. It also covers the
determine your recovery priorities. basics of risk assessment, and key points around prevention, detection and response.

About IT Governance green papers

The concept of “Our expertise, your peace of mind” informs everything we do – sharing our
knowledge and experience to ensure our customers’ IT governance, risk management and
compliance (GRC) projects go smoothly and are successful.
Our green papers draw on our specialists’ experience and expertise to give you the guidance you
Visit our resource hub
need to move your projects forward, whether you need expert advice on compliance, a concise
guide to a tricky process or tips for implementing management systems.
IT Governance green papers: the green light at the start of your IT GRC journey.

IT GOVERNANCE | GREEN PAPER 08

IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT GRC information, books, documentation toolkits, training, consultancy, penetration testing, software tools, and more. Our products and services
work harmoniously together so you can use them individually or combine different elements depending on your needs.

Books Consultancy
Our sister company IT Governance Publishing (ITGP) is the world’s only niche IT governance Whatever your IT GRC needs and budget, we have consultancy options to suit you. From fixed-price
publisher, collaborating with industry experts to produce high-quality publications about best- packaged solutions to bespoke and corporate consultancy services, we can help you meet your
practice frameworks, compliance and technical subjects. objectives efficiently and cost-effectively.

Our books cover a wide range of GRC topics, including cyber security and resilience, data privacy Our unique combination of technical expertise and practical experience managing hundreds of
and business continuity. They also come in a range of formats, including softcover, PDF, ePub, projects around the world means we can deliver a complete solution, managing your project from
Kindle and audiobook. start to finish. Join the more than 5,000 organisations we have already helped, and let us offer you
cost-saving and risk-reducing solutions based on international best practice and frameworks.
Visit www.itgovernance.eu/en-ie/shop/category/it-governance-eu-books to view our full catalogue.
Visit www.itgovernance.eu/en-ie/consulting-ie for more information.
Toolkits
Created by expert practitioners and used by more than 9,000 organisations worldwide, our toolkits Penetration testing
contain fully customisable documentation templates designed to help you meet your compliance Identify and mitigate your vulnerabilities before criminal hackers can exploit them. Our CREST-
obligations, ranging from ISO 27001 to the General Data Protection Regulation (GDPR), the accredited penetration testing solutions can support your organisation’s security by identifying
Payment Card Industry Data Security Standard (PCI DSS), ISO 22301, and more. vulnerabilities in your infrastructure, applications, wireless networks and people through our fixed-
price penetration testing packages.
A number of our toolkits are hosted on our Cloud-based DocumentKits platform, enabling us to
regularly update them and making it easier for you to collaborate. These toolkits also come with At the end of each engagement, you will receive a comprehensive report that clearly explains any
unlimited support for account setup and assistance to help you customise and use the templates. issues we have identified from both technical and non-technical perspectives, how those issues
affect your organisation, and recommendations for remediating them.
Visit www.itgovernance.eu/en-ie/documentation-toolkits-ie to view and take a free trial of our
toolkits. Visit www.itgovernance.eu/en-ie/penetration-testing-services-ie for more information.

Training Software
We provide a wide range of training courses, covering areas including data privacy, information Our sister company Vigilant Software develops industry-leading software tools designed to make
security and ISO 27001, cyber security, ethical hacking, and professional certification courses such meeting your security obligations and complying with privacy laws simple and affordable.
as CISA®, CISM®, CGEIT® and CRISC®. To date, we have trained more than 28,000 individuals.
The CyberComply platform comprises six Cloud-based tools: Compliance Manager, the Data Flow
Our courses range from introductory to advanced training, and are available as Live Online and self- Mapping Tool, the Data Protection Impact Assessment (DPIA) Tool, GDPR Manager, Incident
paced online courses. Visit www.itgovernance.eu/en-ie/training-ie for more information. Manager and vsRisk.

More interested in short awareness courses that deliver a consistent, interactive and Visit www.itgovernance.eu/en-ie/shop/category/software for more information.
comprehensive message to all your staff? Visit www.itgovernance.eu/en-ie/it-governance-e-
learning-ie for more information.

IT GOVERNANCE | GREEN PAPER 09

IT Governance Europe Ltd
Third Floor, The Boyne Tower www.itgovernance.eu /it-governance-europe-ltd

Bull Ring, Lagavooren, Drogheda 00 800 48 484 484 @ITGovernanceEU

Co. Louth, A92 F682, Ireland [email protected] /ITGovernanceEU

© 2003–2023 GRC International Group PLC | Trademark Acknowledgement Statements | GRC International Group Trademarks Notice | September 2022