How to achieve Business Continuity ISO 22301 Implementation - ISO 22301 certification?


Business continuity (BC) is about bringing back your business post crisis or a disaster situation. BC is about managing ‘black swan’ events in your organisation – something that you never expected. However there is a scope – defined in terms of outages. You can chiefly plan against four outage scenarios – namely site outage, people or skill outage, technology outage and vendor outage. Can you think of anything else – please write to me!

Here are the key requirements that ISO 22301 demands that must be done to demonstrate a formal business continuity management system leading to successful certification.

Step 1 – Business Impact Analysis (BIA)  – BIA is the assessment of what is most important of to your business and how long can you survive without it without losing any revenue. If you are a Bank you may say my customers are unwilling to wait outside the ATM if they are not getting cash. Apply the same logic for your customers and ask them to how long can they wait. You have two values from this analysis  – Your Revenue generating services (RGS) and maximum acceptable outage(MAO). Both of these – will determine your business continuity plan (BCP). They will answer ‘what to restore’ and ‘how fast’?

Step 2 – Risk Assessment is the assessment of how prepared are you for ensuring availability. It identifies your single point of failures in all four capabilities – namely site outage, people or skill outage, technology outage and vendor outage. It questions are you are prepared or you need a plan. The flaws identified are fed into a plan strategy.

Step 3 – Business Continuity Strategy is your choice based on budget of what you wish to address. This is also a choice where a likely failure is imminent. For each outage scenario – there are options. For example for technology outage – you have redundancy, cold site, warm site and hot site.

Step 4 – BC Plans including incident management structure – who will invoke the plans, incident wise plans and continuity plans based on outages – reflect the list of plans against each scenario , who will do what, and how fast we will recover. Documented plans reflect your organisations’ formal approach. No documentation = no certification = no formal ‘intent’.

Step 5 – BC Testing the above list of plans is the next step as well as most crucial. No testing = No BC. Testing approaches start from Table Top exercises (least expensive) to Switching off the mains (most expensive) – all options are available depending upon the confidence you wish to have. Additionally test whether your plans will ensure the same time as defined in the MAO.

Step 6 – Internal Audit – If you are seeking ISO 22301 also perform an internal audit against all requirements as well as compliance against the MAO objectives will ensure the auditors do not question your overall business continuity objectives.

Step 7 – Communication and training are additional elements to ensure your ROI on BC. More People awareness equals more aware ‘junta’, thereby ensuring least opportunity of failure.