This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice.

This document is applicable to organizations that:

implement, maintain and improve a BCMS;
seek to ensure conformity with stated business continuity policy;
need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
seek to enhance their resilience through the effective application of the BCMS.

The guidance and recommendations are applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization’s operating environment and complexity.

PDF Catalog

PDF Pages	PDF Title
1	compares BS EN ISO 22313:2020
2	TRACKED CHANGES Text example 1 — indicates added text (in green)
3	National foreword Compliance with a British Standard cannot confer immunity from legal obligations. Amendments/corrigenda issued since publication
8	Foreword
9	Introduction 0.1 General
10	0.2 Benefits of a business continuity management system
11	0.3 The Plan-Do-Check-Act (PDCA) cycle Table 1 — Explanation of PDCA cycle
13	Table 2 — Relationship between the PDCA modelcycle and Clauses 4 to 10
14	Figure 2 — Illustration of business continuity being effective for sudden disruption
15	Figure 3 — Illustration of business continuity being effective for gradual disruption 0.5 Contents of this document
16	0.6 Business continuity
17	Figure 2 — Illustration of business continuity being effective for sudden disruption Figure 3 — Illustration of business continuity being effective for gradual disruption
18	1 Scope 2 Normative references
19	3 Terms and definitions 3.1 business continuity management process of implementing and maintaining business continuity 4 Context of the organization 4.1 Understanding of the organization and its context
20	4.2 Understanding the needs and expectations of interested parties 4.2.1 General
21	Figure 4 — Examples of interested parties to be considered in public and private sectors
22	4.2.2 Legal and regulatory requirements 4.3 Determining the scope of the business continuity management system 4.3.1 General
23	4.3.2 Scope of the BCMSbusiness continuity management system 4.3.3 Exclusions to scope
24	4.4 Business continuity management system 5 Leadership 5.1 Leadership and commitment 5.1.1 General 5.25.1.2 Management commitmentTop management
25	5.1.3 Other managerial roles
26	5.35.2 Policy 5.2.1 Establishing the business continuity policy
27	5.2.2 Communicating the business continuity policy 5.45.3 Organizational rolesRoles, responsibilities and authorities
28	Table 3 — Examples of BCMS roles and responsibilities
29	6 Planning 6.1 Actions to address risks and opportunities 6.1.1 Determining risks and opportunities Determining and addressing risks and opportunities enables the organization to: 6.1.2 Addressing risks and opportunities The organization should plan the actions needed address these risks and opportunities in a manner that:
30	6.2 Business continuity objectives and plansplanning to achieve them 6.2.1 Establishing business continuity objectives 6.2.2 Determining business continuity objectives
31	6.3 Planning changes to the business continuity management system Changes to the BCMS, including those identified in 10.1, should be carefully planned to ensure that the intended purpose is fully investigated and understood. This should include contemplation of the consequences of the changes proposed, ensuring that… The organization should also make sure that appropriate and sufficient resources are available, and that responsibilities and authorities are allocated or reallocated as necessary. 7 Support 7.1 Resources 7.1.1 General 7.1.2 BCMS resources
32	7.1.3 Incident response personnel 7.2 Competence
34	7.3 Awareness
35	7.4 Communication e) ensuring availability of the means of communication during a disruptive incident;
36	The organization should provide effective external communication as part of its awareness programme (see 7.3) and following when responding to an incident (8.4see 8.4.4). 7.5 Documented information 7.5.1 General
38	7.5.2 Create and updateCreating and updating 7.5.3 Control of documented information
39	7.5.3.2 Types of control 8 Operation 8.1 Operational planning and control 8.1.1 General
40	8.1.1 Elements of BCM Figure 5 — Elements of business continuity management (BCM) a) Operational planning and control (8.1) b) Business impact analysis and risk assessment (8.2)
41	c) Business continuity strategy (8.3) NOTE The chosen strategies need to take into account any risk treatment that is already in place within the organization (8.3.3). d) Establish and implement business continuity procedures (8.4) e) Exercising and testing (8.5) 8.1.2 Business continuity management
42	f) Evaluation of business continuity documentation and capabilities (see 8.6): The organization should evaluate its business continuity management to ensure that it is effective and enables the organization to achieve its business continuity objectives. Figure 5 — Elements of business continuity management 8.1.2 Managing the BCM environment 8.1.3 Maintaining business continuity
43	8.1.3 Maintaining business continuity 8.1.4 Measuring effectiveness 8.1.5 Outcomes
44	8.2 Business impact analysis and risk assessment 8.2.1 General Figure 6 — Understanding the organization
45	8.2.2 Business impact analysis Figure 6 — Understanding the organization
46	Table 4 — Examples of type of impact
49	8.2.3 Risk assessment
50	8.3 Business continuity strategy 8.3.1 Determination and selection 8.3 Business continuity strategies and solutions 8.3.1 General
51	8.3.2 Identification of strategies and solutions 8.3.2.1 General 8.3.1.28.3.2.2 Protecting prioritized activities
52	8.3.1.38.3.2.3 Stabilizing, continuing, resuming and recovering prioritized activities
53	8.3.1.4 Mitigating, responding to and managing impacts a) Insurance: Purchase of insurance may provide some financial recompense for some losses, but will not meet all costs (e.g. uninsured events, brand, reputation, interested parties value, market share and human consequences). A financial settlement al… 8.3.1.5 Business continuity of suppliers
54	— the complexity and scale of recovery requirements or the need for specialist equipment with a long lead time. — providing remote working capabilities for key staff. 8.3.2.4 Mitigating, responding to and managing impacts — analyse the notification protocols to determine if they align with the needs of the organization.
55	8.3.3 Selection of strategies and solutions 8.3.28.3.4 Establishing resourceResource requirements 8.3.2.28.3.4.2 People
56	8.3.4.2.2 Incident response 8.3.4.2.3 Resumption of activities
57	8.3.2.38.3.4.3 Information and data
58	8.3.2.48.3.4.4 Buildings, work environmentworkplaces and associated utilities
59	8.3.2.58.3.4.5 Facilities, equipmentEquipment and consumables
60	8.3.2.68.3.4.6 Information communications technology ICT systems
61	8.3.2.78.3.4.7 Transportation and logistics 8.3.2.88.3.4.8 Finance 8.3.3 Protection and mitigation 8.4 Establish and implement business continuity procedures 8.4.1 General
62	8.3.4.9 Partners and the supply chain
63	8.3.5 Implementation of solutions 8.4 Business continuity plans and procedures 8.4.1 General
64	8.4.2 Response structure 8.4.2.2 Design 8.4.2.3 Team capabilities
65	8.4.2.4 Team composition and guidance 8.4.3 Warning and communication 8.4.3.2 Incident communication procedures
66	8.4.3.3 Incident communication facilities
67	8.4.3.2 Alerting interested parties 8.4.4 Business continuity plans
68	Table 5 — Examples of teams and possible roles and responsibilities
69	8.4.4.2.2 Responding to incidents
70	8.4.4.2 Content of business continuity plans
71	8.4.4.3 Specific types of procedures 8.4.4.3.1 Incident management / strategic management procedures
72	8.4.4.3 Content and usability 8.4.4.3.2 Guidance and supporting information
73	8.4.4.3.3 Usability 8.4.4.4 Incident/strategic management 8.4.4.3.28.4.4.5 Communications procedures
74	8.4.4.3.38.4.4.6 Safety and welfare procedures
75	8.4.4.3.48.4.4.7 Salvage and security procedures 8.4.4.3.5 Procedures for resuming activities 8.4.4.8 Resumption of prioritized activities
76	8.4.4.3.68.4.4.9 Recovery of information communications technology ICT systems
77	8.4.5 Recovery
78	8.5 Exercising and testingExercise programme 8.5.1 General 8.5.2 Exercise programmeDesign of the exercise programme No matter how well designed and thought-out a procedure appears to be, a series of robust and realistic exercises will identify areas for improvement.
79	8.5.3 Exercising business continuity plans
82	Table 6 — Sample descriptions of exercise methods
83	9.1.28.6 Evaluation of business continuity proceduresdocumentation and capabilities 8.6.1 General
84	In the event of an incident that disrupts the organization’s prioritized activities or requires an incident response, a post-incident review should be undertaken. This may include: 8.6.2 Measuring effectiveness
85	8.6.3 Outcomes 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General
87	9.1.2 Retention of evidence 9.1.3 Performance evaluation 9.2 Internal audit 9.2.1 General 9.2.2 Audit programme(s) 9.3 Management review 9.3.1 General
88	9.3.2 Management review input 9.3.3 Management review outputs 9.3.3.1 Improvement of the BCMS
89	9.3.3.2 Retention of documented information 10 Improvement 10.1 Nonconformity and corrective action 10.1.1 General 10.1.2 Occurrence of nonconformity
90	10.1.3 Retention of documented information 10.2 Continual improvement
91	Bibliography
93	undefined
95	European foreword Endorsement notice
99	Foreword
100	Introduction
107	1 Scope 2 Normative references 3 Terms and definitions
108	4 Context of the organization 4.1 Understanding the organization and its context
109	4.2 Understanding the needs and expectations of interested parties 4.2.1 General 4.2.2 Legal and regulatory requirements
110	4.3 Determining the scope of the business continuity management system 4.3.1 General 4.3.2 Scope of the business continuity management system 4.3.3 Exclusions to scope
111	4.4 Business continuity management system 5 Leadership 5.1 Leadership and commitment 5.1.1 General 5.1.2 Top management
112	5.1.3 Other managerial roles 5.2 Policy 5.2.1 Establishing the business continuity policy
113	5.2.2 Communicating the business continuity policy 5.3 Roles, responsibilities and authorities
115	6 Planning 6.1 Actions to address risks and opportunities 6.1.1 Determining risks and opportunities 6.1.2 Addressing risks and opportunities
116	6.2 Business continuity objectives and planning to achieve them 6.2.1 Establishing business continuity objectives 6.2.2 Determining business continuity objectives 6.3 Planning changes to the business continuity management system
117	7 Support 7.1 Resources 7.1.1 General 7.1.2 BCMS resources 7.2 Competence
119	7.3 Awareness
120	7.4 Communication
121	7.5 Documented information 7.5.1 General
122	7.5.2 Creating and updating 7.5.3 Control of documented information
123	8 Operation 8.1 Operational planning and control 8.1.1 General
124	8.1.2 Business continuity management
125	8.1.3 Maintaining business continuity
126	8.2 Business impact analysis and risk assessment 8.2.1 General 8.2.2 Business impact analysis
129	8.2.3 Risk assessment
131	8.3 Business continuity strategies and solutions 8.3.1 General 8.3.2 Identification of strategies and solutions
134	8.3.3 Selection of strategies and solutions 8.3.4 Resource requirements
140	8.3.5 Implementation of solutions
141	8.4 Business continuity plans and procedures 8.4.1 General 8.4.2 Response structure
142	8.4.3 Warning and communication
144	8.4.4 Business continuity plans
149	8.4.5 Recovery
150	8.5 Exercise programme 8.5.1 General 8.5.2 Design of the exercise programme
151	8.5.3 Exercising business continuity plans
154	8.6 Evaluation of business continuity documentation and capabilities 8.6.1 General
155	8.6.2 Measuring effectiveness 8.6.3 Outcomes
156	9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General 9.1.2 Retention of evidence 9.1.3 Performance evaluation
157	9.2 Internal audit 9.2.1 General 9.2.2 Audit programme(s) 9.3 Management review 9.3.1 General 9.3.2 Management review input
158	9.3.3 Management review outputs 10 Improvement 10.1 Nonconformity and corrective action 10.1.1 General
159	10.1.2 Occurrence of nonconformity 10.1.3 Retention of documented information 10.2 Continual improvement
161	Bibliography

Published By	Publication Date	Number of Pages
BSI	2020	163


PDF Format	Searchable	Printable	Preview Now

Status	Definitive
Pages	163
Publication Date	2020-04-21
ISBN	978 0 539 13562 6
Standard Number	BS EN ISO 22313:2020 – TC
Title	Tracked Changes. Security and resilience. Business continuity management systems. Guidance on the use of ISO 22301
Descriptors	Business continuity, Planning, Risk analysis, Enterprises, Commerce, Management operations, Management, Documents, Risk assessment, Organizations
Publisher	BSI
Committee	CAR/1
ICS Codes	03.100.01 - Company organization and management in general

BS EN ISO 22313:2020 – TC

PDF Catalog

Related products

BS EN ISO 1133-1:2022 – TC

BS EN ISO 4531:2022 – TC

BS EN ISO 12855:2022 – TC

BS EN ISO 22413:2021 – TC:2022 Edition

BS EN ISO 12543-1:2021 – TC:2022 Edition