'Societal' Business Continuity Management System (BCMS) – ISO 22301 – 2012

ISO 22301 Consulting Overview

We provide ISO 22301 consulting, implementation, audit and certification support. This includes a phase wise approach that involves understanding business context to business continuity, business impact analysis (BIA), risk assessment, exercise and testing, detail recommendations, policy/documentation support, training, coaching employees/teams, coaching business continuity managers, audit and management review leading to successful zero defect ISO 22301 certification.

Our ISO 22301 consulting methodology ensures several benefits. Most important of them are the organisation preparedness to manage 'any' crisis or outage. The focus of any business continuity program is not limited to ‘prevention’ but more importantly 'ability to respond'. The standard uses these 4Rs - namely 'respond, recover, resume and restore'.

Our approach of ISO 22301 audit ensures that you get true business value on this investment.


BCMS is the organizations' capability to respond post a crisis within a pre-determined response time. BCMS is not how you prevented crisis but more importantly what you will do post crisis. Crisis can be described in several outage scenarios but chiefly they can combine people outage or unavailability, physical site, communication or technology, and/or vendor unavailability. Setting up BCMS involves understanding business and its requirement for recovery expressed in unit of time. In addition, it also involves business continuity decisions on architecture, definition, documentation, implementation, measurement and audits. The most important feature of BCMS is testing your plans - because your business continuity is as good as it is tested.

Absence of a defined process as to how your business will recover or its testing is therefore a clear case of absence of a business continuity management system (BCMS).


The standard is divided into 10 following clauses. For ISO 22301 certification only Clause 4 to 10 is applicable.

Clause 1 – Scope
Clause 2 – Normative References
Clause 3 – Terms and definitions
Clause 4 – Context of the organization
Clause 5 – Leadership
Clause 6 – Planning
Clause 7 – Support
Clause 8 – Operation
Clause 9 – Performance Monitoring
Clause 10 – Improvement

We bring our world-class experience in delivery BCMS ISO 22301 implementation leading to successful certification.

Phase I - Understanding the business context and relevance of business continuity is the starting point of ISO 22301 implementation.

Phase II - Detail business impact analysis (BIA) and risk assessment gives us an understanding of the core of the business. The process on one-hand helps in understand what are the key ‘value creation’ activities on one hand and their level of preparedness for different outage scenarios. The outcome of iso 22301 BIA and risk assessment leads to identification of flaws of various types, which can include single point of failures as well as lack of preparedness for managing certain threats and outages.

Phase III - This phase is a management strategy and decision making phase. We help management take a right decision on which risks they should be prepared. Decision such as 'build or buy', hot site, warm site or cold site need to be taken. Once the decision is taken the development of the individual plan starts.

Phase IV – This phase involves development of individual plans with teams that are responsible either for 'respond, recover, resume and restore' processes. Coral has identified best practice business continuity plans that must be documented. The individual plans are discussed and handed to teams for adequacy, acceptance and ownership.

Phase V - the testing phase is the most crucial phase for iso 22301 certification. Any organizations BCP is as good as it is tested. So special emphasis is laid to cover all aspects of the plan – in order to ensure relevance, awareness among the teams, and the organisation.

Phase VI - ISO 22301 Audit is verification of the newly established process against each requirement for ISO 22301. This is also to check the 'lifecycle' aspect of the process.

Phase VII - ISO 22301 certification?audit has two stages:

Stage 1 - documentation, and, Stage 2 - implementation verification.

What are the key consulting differentiators to our ISO 22301 consulting assignment?
  • Business continuity Architecture in line with business objectives
  • Testing each aspect of documented plan
  • Enterprise risk reduction
  • ROI consulting - We attempt to ensure that you become BCM compliant within existing investment
  • Speed and comprehensiveness in consulting delivery
  • Business continuity principles embedded in each business lifecycle/change
  • Structured and proven risk assessment and risk measurement
  • Documentation at 4 layers which encompass certification and internal maturity requirements
  • Measurements that determine the degree of compliance for applicable controls
  • Higher participation of compliance through head of department involvement
  • Awareness to each and every member of the organisation
  • Framework implementation and continual improvement
  • Successful ISO 22301 certification
Upon ISO 22301 certification what should happen in the organisation?

An organisation getting ISO 22301 certification has the following key strengths:

  • A business continuity policy signed by the top management typically CEO.
  • Identification of core business activities including products, services and support functions whose unavailability is simply not acceptable to business
  • A formal risk assessment process – which shows your single point of failures - be it team, technology, site or vendors.
  • Documented plan of restoration in each aspect of your continuity. You will have event - wise plans and outage wise plans.
  • Each plan is tested and the learning of the test is documented for next testing. A test makes the organisation more resilient and provides a sense of assurance.
  • Trained manpower to carry out there business continuity function
  • A dashboard that goes from business continuity management team to top management explaining how business continuity is performing
  • An annual BCMS plan that shows the BCMS activities that involves design, implementation and audits.
  • Reduction in enterprise risk insurance premium.
So what makes a good ISO 22301 consultant?

ISO 22301 - the standard on business continuity management system lays down a formal set of people, process and technology processes to counteract any business disruption. The benefit of this implementation is an assurance that business will continue in case of 'any' disaster or disruption.

The role of the ISO 22301 consultant is therefore very crucial and has to demonstrate several skills. A combination of expertise goes into making one and delivering a formal ISO 22301 consulting assignment.

The ISO 22301 consultant has to have the following basic skills (not exhaustive):

  • Ability to understand the business in terms of ‘organisation in motion’.
  • Ability to understand business risks faced by them on a day to day basis
  • Ability to identify continuity risks
  • Ability to divide the organisation into logical groups to identify candidates for business continuity in a scale up manner
  • Ability to perform a gap analysis on ISO 22301 requirements
  • Ability to perform business impact analysis (BIA) using a structured methodology applying organisation rules
  • Ability to identify mission critical activities using a structured approach
  • Ability to present management with multiple options of recovery
  • Ability to seek management approval by presenting a risk based calculation
  • Ability to define and document policy, procedures and specific measurements for each identified iso 22301 processes
  • Ability to envisage and define plans considering events and outages. Event can be fire. And an outage is site outage.
  • Ability to measure the maturity of ISO 22301 processes on a predefined scale, provide justification of the identified process
  • Ability to advise and define multiple test scenarios as applicable to the organization
  • Ability to conduct trainings
  • Ability to ensure the cross functional impact as a result of a newly implemented policy

Selection of an iso 22301 consultant therefore has to be done ensuring adequate experience in all of the above.

Recent Business Continuity Blogs

Contact Us:

Please enter your contact information in the fields below
and one of our experienced consultants will contact you immediately.