866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What are the ISO 22301 Requirements? Blog Feature
Matthew Gierl

By: Matthew Gierl

Print/Save as PDF

What are the ISO 22301 Requirements?

ISO Certifications

Like many of the other ISO standards, ISO 22301 features introductory clauses (1-3), and it also has its own fundamental clauses (4-10)—of these, clause 8 (Operation) is key to standing up the Business Continuity Management System (BCMS) and achieving ISO 22301 certification.

As a long-time ISO certification body, we’ve been helping different organizations secure different ISO certifications for years, which means we know the big lift it is to implement any kind of management system. That’s why, in this article, we’re going to provide a brief overview of each of the ISO 22301 clauses with a more thorough detailing of that key clause 8.

If you’re interested in getting ISO 22301 certified, moving forward with this information should help you well along in that process.

 

What are the ISO 22301 Key Clauses?

Let’s begin with the aforementioned “introductory” clauses—these don’t contain any specific requirements; rather, they provide the background information you’ll need when implementing the next set of clauses:

  • Clause 1: Scope
    • Defines the boundaries and applicability of the ISO 22301 standard
  • Clause 2: Normative References
    • Includes other guidance or standards that can help in your work to align with ISO 22301
  • Clause 3: Terms & Definitions
    • Establishes common terminology used in the standard for consistent implementation of the standard across organizations

Then, you have the next six clauses, which are mandatory and must be implemented in order to achieve ISO 22301 certification. These break down as follows:

Clause

Details

Clause 4:

Context of the Organization

Asks that you identify relevant internal and external factors that could impact your ability to maintain business continuity—understanding things like your organization’s size, structure, and resources, as well as regulatory requirements, economic conditions and current market dynamics can help you better devise strategies for your specific circumstances.

Clause 5:

Leadership

Requires—like many other ISO standards, including 27001—that your organization’s leadership demonstrate support of business continuity through the allocation of necessary resources and their support overall.

Clause 6:

Planning

Mandates that you define your business continuity policy and set related objectives—these items must be measurable, consistent, updated accordingly, monitored and communicated both internally and externally, and also account for any applicable laws and regulations your organization must contractually abide by.

* Clause 6 provides the foundation for adherence to Clause 8, as every management system’s operational processes and effectiveness will revolve around these objectives.

Clause 7:

Support

Involves making sure the necessary personnel are explicitly aware of their roles within the BCMS and prepared to do their parts adequately.

Clause 9:

Performance Evaluation

Stipulates that you monitor and periodically evaluate the BCMS using established and documented procedures for measuring and analyzing its performance.

Clause 10:

Improvement

Conditions that you address discovered nonconformities, learn from any incidents that should occur, and enhance your BCMS in order to facilitate continuous improvement.

 

A Breakdown of ISO 22301 Clause 8

The other key clause of ISO 22301 is Clause 8, which encompasses the Operation of your BCMS.

As it is such a critical component, we’re going to disseminate it into its four subclauses and the specific operating design and effectiveness pieces that your assessors will look for to ensure that your management system is in conformance with this part of the standard.

ISO 22301 Clause 8.1 - Operations Planning and Control

First and foundational, 8.1 asks you to establish your requirements for business continuity operations, including explicit policies and procedures that provide relevant personnel with a set of processes to follow to ensure everything is consistent that is acknowledged by those involved.

Of heavy focus will be the design of how your organization controls:

  • Processes;
  • Planned changes; and
  • Responsibilities (internal or outsourced), in order to ensure that business continuity is being carried out as planned.

During your assessment, auditors will look for specific policies and procedures that match up to the desired effectiveness you establish as part of clause 8.1, and they’ll check to ensure that documentation is reviewed and updated by responsible parties.

ISO 22301 Clause 8.2 - Business Impact Analysis (BIA) and Risk Assessment

Another integral part of ISO 22301, clause 8.2 asks that you assess potential impacts that could affect your ability to meet service agreements, business continuity objectives, and legal/regulatory requirements:

BIA

Risk Assessment

Determines business continuity priorities that are relevant to your organization’s context by:

  • Identifying activities that support the provision of products and services; and
  • Calculating the impact of disruptions noted, including factors like maximum tolerable period of disruption and recovery time objectives.

Should include the details of business continuity risks that score and categorize the impact of disruption to the organization if that risk were to occur, including how your organization:

  • Analyzes;
  • Evaluates; and
  • Prioritizes risks so that you can determine treatment plans for those risks deemed detrimental to your product and/or services.

Note: These risks differ slightly from risks addressed in clause 6, as these risks are specific to disruption of business continuity rather than the effectiveness of the management system.

Auditors will check that you’re performing, monitoring, and reviewing these two processes at planned intervals to account for organizational changes or shifting potential impacts.

ISO 22301 Clause 8.3 - Business Continuity Strategies and Solutions

Using those outputs from the business impact analysis and risk assessment, you’ll then identify and select business continuity strategies for pre-, during, and post-disruption activities as part of clause 8.3.

With consideration to the required time frames for the continuance and recovery of products and services identified in the BIA (that reflect contractual requirements), these strategies should:

  • Reduce the likelihood of disruptions;
  • Limit the impact of disruption;
  • Provide adequate resources; and
  • Protect the organization.

As part of each strategy, you’ll also need to determine the resource requirements, including the necessary people, information and data, physical infrastructure, etc.—as well as the financial cost for all of that.

ISO 22301 Clause 8.4 - Business Continuity Plans and Procedures

Clause 8.4’s plans and procedures refer to those you’ll use to ensure you are properly managing disruptions and, again, build on the outputs of your selected strategies and solutions from clause 8.3.

The steps and solutions of these plans should aim foremost to be effective in minimizing the impact of the disruption, and so should include details regarding:

  • Procedures for warning and communication;
  • Specific steps for mitigating disruption;
  • Roles and responsibilities of each team and how they interact with each other; and

Overall, your plan should allow you to—in the event of an incident:

  • Properly assess the nature and extent of disruption and potential impact;
  • Activate an appropriate response and solution; and
  • Establish a way to monitor and communicate the effects of the disruption to interested parties.

ISO 22301 Clause 8.5 - Exercise Program

With all these established plans, clause 8.5 then requires business continuity exercises as validation that your plans are timely and effective strategies/solutions. To help develop and confirm the necessary teamwork, competence, and proper knowledge for those who are responsible for leading the organization through business continuity disruptions, these tests/exercises should:

  • Be consistent with your established business continuity objectives;
  • Be based on appropriate scenarios with defined objectives;
  • Be performed at planned intervals; and
  • Contain a post-exercise review.

However, it’s not enough to just perform these exercises—you must also evaluate the effectiveness and adequacy of the results and implement changes and/or improvements to ensure the tests mimic as close as possible to real-life disruptions.

ISO 22301 Clause 8.6 - Evaluation of Business Continuity Documentation and Capabilities

Finally, clause 8.6 provides guidance—including a template—for the regular re-evaluation of all the work you’ve done to satisfy the previous clauses. By periodically reviewing all your established business continuity documentation and capabilities, you’ll ensure that your BCMS remains effective and up-to-date as your organization evolves.

 

Moving Forward with ISO 22301 Certification

Though becoming ISO certified against any of the family of standards can be a huge boon to an organization, the work in aligning with the requirements is a heavy lift—ISO 22301 included.

But now you understand a bit more about the requirements for this standard focused on improving and maintaining business continuity, and how thorough it requires you to be, including the business impact analysis, policies, objectives, risk assessments, strategies, solutions, plans, and procedures, validation exercises, and post-incident reports that you’ll need to create and implement in order to become ISO 22301 certified.

If you have further questions about the standard or would like to speak with Schellman regarding a possible partnership for certification, contact us today to be put in touch with our experts, who would be happy to speak with you.

About Matthew Gierl

Matthew Gierl is a Senior Associate with Schellman. Prior to joining the firm in February of 2018, Matthew worked as a IT Risk Consultant specializing in SOC 1 and SOC 2 testing. As a Senior Associate with Schellman, Matt is now focused primarily on helping organizations across various industries achieve different ISO certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.