Business Continuity Management System (BCMS)
ISO 22301

Phase I - Understanding Business, and Products and Services

• Every client is unique with its business model, products and services, customers and business objectives.
• Identifying mission critical services that are revenue generating are the primary goal of this phase.
• The BCMS-ISO 22301 implementation journey starts with this phase as it provides them to define prioritisation of what is truly critical.
• This is where values like maximum tolerable period of disruption (MTPD), and recovery time objective (RTO) at the enterprise level are defined.

Phase II - Business Impact Analysis and Risk Assessment

• Based upon the outcome of the phase 1, a more detailed functional level Business impact analysis (BIA), and Risk Assessment (RA) is performed.
• Business Impact Analysis results in determining how fast (or slow) a team needs to be recovered
• Risk Assessment is the art and science of assessing current capacity, capability and readiness to achieve the objective within agreed MTPOD/RTO.
• How comprehensive is the BIA and risk assessment? We perform a 4-phase outage scenario that applies to determine degree of recovery capability that results in providing a client an unparalleled perspective of their continuity readiness.
• This is where business continuity risks are identified, which needs too be treated.

Phase III - Continuity Planning and Documentation

• Based on the outputs of the previous two phases and the mandatory requirements of ISO 22301, detail documentation is designed, discussed and deliberated with management and functional representatives.
• Depending upon the organisation, the planning could cover both ‘known events’ and unknown ‘black swan’ events.
• Every team in the scope undergoes documentation on business impact analysis, Maximum tolerable period of disruption (MTPD), RTO and RPO determination, business continuity risk assessment, individual plans related to four strategic outage scenarios, and testing methodology."

Phase IV - BCP Testing

• Business continuity plan is as good as it has been tested. With this approach in mind, we hand hold clients to perform testing of their documented plans to the optimum level.
• This involves management, functional, operational and recovery and response teams.
• Plans are evaluated against RTO to determine the success or failure of the test, and loopholes identified are addressed as part of the overall BCMS risk and governance program.

Phase V - Internal Audit and Management Review

• Internal audit start with preparation of ISO 22301 checklist and understanding the maturity of the BCMS developed so far.
• Internal Audit involves verifying the effectiveness of the implemented business continuity plans, and the ownership, and awareness across the organisation. It also helps to assess the maturity of the organisational process as business dynamics change.
• A formal report is published for management review.
• We facilitate reviews with the management to ensure that the initial business continuity/ISO 22301 requirement objectives and goals are achieved.

Phase VI - External Certification Support

Chosen external certification body audit performs ISO 22301 certification in two phases:

• Stage 1 – Documentation Review, and
• Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an ISO 22301 certificate.
Finally, upon receiving their ISO 22301 certificates, the clients are officially ISO 22301 certified.

Questions?

Seek a one to one session with our Principal Consultant, who will answer your questions to get started.