Delivering Sustained Success
Countries Regional


Business Continuity - ISO 22301

Overview of ISO 22301

As the market widens, technology improves, and managing expectations became a top concern for managing processes; risk prevalence increases across every operation. With the recent calamities and aftermath of climate changes, there is likewise a growing need for emergency preparedness and organisational resiliency. Managing risks used to be a specialist function, but nowadays, we see every process owners becoming aware of business risks and initiating and  instituting controls in their processes beyond basic requirements.

Managements systems can address such concern by putting in place the universal principle of PDCA as specified in ISO 22301:2012 to outline requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented business continuity management system . It is not with the intent to prevent disasters but to increase the organisation’s preparedness and protection  against it, be proactive against its likelihood and known vulnerability, prepare for, respond to, and recover from disruptive incidents when they arise.

What are the actions if there is a fire, power outage, computer virus attack, equipment failure, flash flood, or theft?  Business Continuity is not just about being up and running upon a crisis.  It’s about being ready for any incident that may cause a disruption to your business. 

Preparedness is the key to the above uncertainties.  It provides a level of assurance.   The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organisations, or parts thereof, regardless of type, size and nature of the organisation. The extent of application of these requirements depends on the organisation's operating environment and complexity.


Benefits of Business Continuity Management Systems (BCMS)

ISO 22301: 2012 Business Continuity Management (BCM) gives confidence and a visible means of meeting your customers' expectations and key stakeholders.  It helps companies to continue to operate to meet minimum business level of operations including statutory, regulatory and contractual obligations. It provides the organisation with the required  structure and infrastructure and assures the following: 
  • Managers and owners have the responsibility to maintain the ability of the organisation to function without disruption.
  • Preparedness of business activities as subjected to disruptions, such as technology failure, flooding, utility disruption and terrorism.
  • Provision of the capability to adequately react to operational disruptions while protecting welfare and safety.
  • A management system that adds value to the organisation, and not just a costly planning process, but an investment for organisational resiliency
  • Proactive practices towards threat and risk as an important element of good business, management, service provision and entrepreneurial prudence.

Implementing BCMS

Implementing ISO 22301 will incorporate the universal and cyclical PDCA approach as we have seen in the typical management system, extending the conventional business continuity planning process to take greater account of business continuity to prepare the organisation’s critical business functions against unforeseeable events that could change the risk environment and impact business continuity.  It will incorporate ‘failure scenario assessment methods’ such as Threat Profiling and Assessment, FMEA (Failure Modes and Effects Analysis), with a focus on identifying ‘triggering events’ that could precipitate serious incidents. It will streamline the resources among business continuity, disaster recovery, emergency response and security incident response and management activities. 

The coverage of its implementation is similar to BS 25999-2 such as  business continuity policy, business impact analysis, risk assessment, business continuity strategy , business continuity plans, exercising and testing etc. to raise the company’s  level of resilience and credibility . 

The level of importance of this standard is fast increasing along with the business intent to address action requirements for managing the risks that abound.


ISO 22301 Training Programmes

  • Business Continuity Management for Executives
  • Introduction to Business Continuity Management
  • Business Impact Analysis
  • Business Continuity Documentation
  • BCM Lead Auditor Training Course
  • Business Continuity Planning
  • QISMS Application
  • IMS Application
  • Crisis Management
  • Business Continuity Planning for Information Security
  • Business Continuity Planning for Integrated Management System
  • Business Continuity Planning for Compliance
  • Enterprise Risk Management using ISO 31000
  • Business Continuity Metrics Performance Management
  • BCMR Skills Development
  • Organization Preparedness for Business Continuity
  • BCM Change Control
  • Managing Business Continuity Capability and Cost
  • Crisis Communication


What are the prerequisites of implementing BCMS : ISO 22301?
A good foundation of any management system will be helpful depending on what risks are prevalent. It is best that the company have all the four components of managing risks for quality, environment health and safety, and information security to set the good foundation for its integration and implementation maturity.
What are the typical risks covered?
Risks that may lead to significant disruptions to the businesses are identified so that preparedness around such risks be managed?
What is the need for business impact analysis?
It important to conduct a business impact analysis to identify critical business functions so as to provide focus on what matters to the business with regards to set criteria such as customer requirements, regulatory compliance, and financial impact.
What are the measureable standards and requirements that needs to be established?
The system requires for maximum period of tolerable disruption ( MTPoD ) and recovery point objectives ( RPO )  around the various steps within the critical business functions.
Who is the rightful department to be accountable for the Business Continuity Management System?
There is no fixed department to possibly handle BCMS, it all depends upon the dominance and prevalence of risks. It is best for that coordinating unit to have knowledge on operational risk, and other such risks as strategic, hazard and even financial risks.
What is the difference between Enterprise Risk Management and Business Continuity Management System?
It will be an advantage if an organisation has a framework for enterprise risk management to facilitate the drive for preparedness against the risks that have been considered. The output of the ERM will come in very useful along with the business impact analysis as required by BCMS to facilitate the consequence analysis to the business and  the need for standards in the effort to minimize its impact of disruptive events.

Interested in discussing your requirements? Let’s talk.

Training  /  Online training  /  Capacity building


Contact Us