ISO 22301 is an international standard which provides requirements for establishing and maintaining a Business Continuity Management System (BCMS). The standard can be implemented by organizations of any type and size, with the intent to protect business operations from incidents, be those natural, physical, cyber or economic. In other words, a BCMS enables an organization to be prepared for a wide range of unpredicted events, by implementing a detailed Business Continuity Plan (BCP), and assign the responsible persons for each scenario.
The list of reasons why an organization should implement and maintain a Business Continuity Management System based on ISO 22301 is long, but the basic and most important reason is that of making sure not to bankrupt or be forced to close the organization in a case of a disaster. For example, surveys show that the average IT downtime yearly for organizations can amount to a great loss, but one which is not visible at first glance.
CA Technologies conducted a study where it showed that the average IT downtime for companies in Europe and North America is approximately 14 hours yearly. While this does not seem like an event which might have significant consequences, when calculated, it costs a staggering $26.5 billion, which is to say an average of $150.000 yearly for each company. The case, however, is that some companies lose much more depending on their size and the nature of the products and services they offer, as well as their business operations.
The implementation of a Business Continuity Management System entails a series of actions and implementation of a number of strategies, policies and the conduction of a number of analyses. Some of them are:
- Business Continuity Policy
- Business Impact Analysis
- Risk Assessment
- Business Continuity Strategy
- Protection and Mitigation Measures
- Disaster Recovery Plan
- Business Continuity Plan
Since ISO 22301 provides general requirements, one of the main components of implementing the standard is the understanding of the organization and its context. In practice this translates into getting to know the organization, its products and services, interested and involved parties (such as shareholders, suppliers, customers, employees and so on), crucial business operations, and importantly, threats that the organization is most exposed and vulnerable to.
Some of the benefits of implementing a Business Continuity Management System based on ISO 22301 include:
- Ensure the continuation of business operations in case of disasters – This may include a scenario where the company is subject to a cyber-attack, such as a ransomware, DDoS (Distributed Denial of Service), different viruses and so on – or it may include a natural disaster, such as flooding, earthquakes, hurricanes, etc. A BCMS enables organizations to create and maintain strong response as well as recovery procedures, thus ensuring the continuation of operations and being able to continue customer service. The organization’s management will be able to quickly respond to the situation with the right mechanisms and instruments as well as measure the impacts that incidents have on business operations.
- Safeguard profit and assets – An effective BCMS ensues the elimination or minimization of losses in case of disasters, and protects the revenue stream.
- Maintain good reputation – An organization which has a BCMS in place is more trusted in the eyes of its customers, shareholders, suppliers or any other involved party. By being certified against ISO 22301, an organization instills confidence in its partners which strengthens business ties and opens possibilities for new partnerships.
- Meet legal and regulatory requirements – The implementation of a BCMS based on ISO 22301 demonstrates that the organization is compliant with legal and regulatory requirements, and thus minimizes chances of penalties because of legal non-conformities.
- Reduce risk-associated costs – ISO 22301 helps an organization identify potential risks which have a higher probability of impact. This way the management can identify which insurance is most appropriate for the organization and save on costs. Moreover, in case a disaster happens, the organization has the right tools to minimize the effects and thus minimize the costs of impact and be able to survive the disaster.
- Gain competitive advantage – An organization which is certified against ISO 22301 stands above its competitors. In turn, this can be translated in, for instance, higher chances of winning public tenders as well as obtaining new, profitable partnerships.
ISO 22301 is a universal framework for implementing a Business Continuity Management System which truly helps organizations in their most difficult times. In a world where cyber defense has become a routine operation and natural disasters are more unpredictable and impactful than ever, it is crucial to be prepared for the difficult days a business might have, by investing in an encapsulating system which provides security, safety and protection of assets.
PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment.
About the Author
Julian Kuci is the Marketing Quality Assurance Manager at PECB. He is a graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.