ISO 22301 is the ISO International Standard for business continuity (BC). It provides a thorough framework for organisations preparing to act in the event of total failure. However, what many organisations fail to appreciate is that many of the situations that they seek to manage as ‘business continuity’ or 'disaster recovery' can be covered within their existing management systems. The two most common systems to which BC applies are Information Security and Occupational Health and Safety. Take a look at how the ISO 27001 and ISO 45001 standards approach business continuity before reading what you would have to have in place for ISO 22301.
ISO 27001 covers 14 control points for Information Security, ensuring that data and information remains secure, confidential and accessible to the correct audience. Within the Standard, there are specific requirements to ensure that controls are in place to manage foreseeable Business Continuity or Disaster Recovery events. Specifically:
On top of these control points, there is a full requirement to ensure that information security requirements are covered in the case of disruption (a Business Continuity event). This requirement requires a plan to be prepared, tested, practiced and evaluated.
Therefore, foreseeable risks could be managed as part of an ISO 27001 system, if the scope of the organisation's requirements fit the criteria above.
ISO 45001, the standard for Occupational Health and Safety does not directly refer to ‘Business Continuity’ or ‘Disaster Recovery’ but instead has requirements that need to be in place to cover ‘Emergency Situations’. Emergency situations cover unplanned situations that require a response, such as a fire or accident that occurs, or a situation that occurs in the immediate vicinity of the workforce that could affect or impact them. The ISO 45001 standard requires emergency plans to be developed, tested, practised and evaluated to ensure they are not only fit for purpose, but can be executed by the workforce.
In the context of Business Continuity, the ISO 45001 standard will ensure that plans are in place to protect the workforce in the event of a disruptive situation, but does not set requirements to ensure that production or service is recovered to a determined level within a set period of time. However, depending on the context of the organisation, the cost of preparing alternative or recovery operations in the event of total disaster may be prohibitive, and therefore these can only be subject to insurance claims or reactive planning once the event has taken place.
Consider then what you are being asked for in regards of your business continuity. Many organisations are considering BC because their customers are asking for it, but in many situations, they appear to be being asked what their processes are for data recovery, in which case ISO 27001 would suffice. Implementing a BC system that meets the requirements of ISO 22301 standard comes at a cost; the ISO 22301 standard is not a risk-based system. It assumes that total disaster will occur and you need plans in place to deal with it when it comes.
This might be appropriate for organisations that operate at scale and for whom reactive planning would be impractical, and who also have finances to plan for and pay for resources even if they are not being used. For example, having a set of standby offices in place in case they are needed will likely multiply the cost of office rent; an unnecessary and impractical cost for a small business where employees can simply work from home. Furthermore, the cost of demonstrating compliance to gain an additional certificate is high and likely to be unnecessary for many organisations.
ISO 22301 is a good Standard and provides useful routines; for example, considering the priority areas that need to be reinstated, considering the minimum recover options and other methods or processes that can be adopted, can add value to any system. If you are a Spedan Client, call us to discuss the Standard in more detail.
Related Articles4 key questions for Business Continuity
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525