Understanding ISO 22301

Think cyber!
6th July 2021
Show all

In the last year, we have seen a marked increase in the number of client enquiries asking about ISO22301 (2019).

ISO standards provide an excellent framework to design your resilience programme around, and ISO 22301 is the foundation for much of what we do. We thought, as organisations eye the future and try to protect themselves in the post-COVID landscape, that it was worth explaining what certification means and does.

ISO 22301 is awarded to organisations which fulfil the criteria set out by the International Standardisation Organisation (ISO). The ISO are an independent, non-governmental international organisation with a membership of 165 national standards bodies. The aim is to maintain consistent standards across territories, in an increasingly globalised business world.

Their criteria for ISO 22301 are as follows:

  1. That an organisation implements, maintains and improves a Business Continuity Management System (BCMS);
  2. That they seek to ensure conformity with stated business continuity policies;
  3. That the organisation is thus able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
  4. That they seek to enhance their resilience through the effective application of the BCMS.

Organisations of any size or type can apply. The certification basically shows that a business has processes in place to carry on during a period of disruption, and is clearly committed to upholding and improving these processes.

(In this sense ISO 22301 is different to ISO 22316, which effectively acts is more of a framework that you cannot certify against. And it is also different from BS 11200, which focuses specifically on managing a crisis on-site.)

The ISO 22301 is a cornerstone of the Business Continuity Institute’s (BCI’s) Good Practice Guidelines, with which Horizonscan aligns. Much of our work focuses on ensuring our clients fulfil the criteria described above, and that they have the correct documentation and processes in place. With a big focus on continual improvement, ISO standards can drive your programme. They also provide key data points for monitoring.

With this said, we do not always recommend that our clients immediately go forwards for ISO 22301 once they have fulfilled the criteria for doing so. Getting the certification can be a relatively protracted process for busy risk managers – not to mention an expensive one, requiring re-certification every four years. Hence, many of our clients wait until there is a clear commercial impetus – i.e. a client who demands ISO 22301 – before they formally certify.

All ISO standards are ultimately open to interpretation, allowing for plenty of freedom and flexibility when it comes to customisation to your organisation’s requirements. So you need to avoid the trap, once certified, of keeping the auditor happy at all costs.

At Horizonscan our goal is to get our clients to a position so that they are resilient, as per the requirements of the ISO, and can take the certification forwards as soon as they need to.