Business Continuity and

ISO 22301
April 2018

Protect ● Comply ● Thrive

© IT Governance Ltd 2018 1 [Topic] v1.0
 IT Governance Green Paper

Business continuity and ISO 22301

Introduction
Organisations face a myriad of risks both
internal and external, which include cyber
attacks, natural disasters, power failures,
industrial action and human error. These
risks are often unpredictable and have the
potential to severely interrupt business
operations.
No business wants its critical functions
disrupted, or to be prevented from
accessing essential information. It is
therefore imperative to have a system in
place that maintains access to business
operations when an incident occurs.
Organisations are increasingly discovering
that having business continuity measures in
place are essential to survive – one survey
highlighted that 86.3% of responding
organisations expected to see changes to
their business continuity management
(BCM)1. Such changes included embarking
on an implementation project, revising
present strategies, or exercising and testing
current plans.
Implementing a business continuity
management system (BCMS) is the most
effective way to ensure your organisation
returns to ‘business as usual’ as quickly as
possible in the event of a disruption. The
international standard for business
continuity, ISO 22301:2012 (ISO 22301),
sets out the specifications for a
comprehensive BCMS.
Business continuity vs disaster
recovery
Although business continuity focuses on
preserving an organisation’s ability to
function, disaster recovery (DR) prioritises
returning to full functionality. Obviously,
there is a significant overlap.
DR as a discipline arose when computer
systems became intrinsic to organisations.
It referred specifically to services that
computer manufacturers and dedicated
service providers offered to achieve system
recovery in the aftermath of a disruption.
This definition has since expanded to
describe the recovery of business generally,
and not just computer systems.
The benefits of business continuity
Our world is increasingly interconnected,
and being able to respond to an incident
quickly is imperative. Even a small glitch
that lasts two hours can be enough to
cause revenue loss and long-term
reputational effects.
Being able to optimally recover from a
potentially damaging event, however, is
likely to benefit your organisation’s
reputation. Making business continuity
arrangements can minimise any costs
incurred by a disruptive incident and
improve overall insurance rates.
Additionally, some business contracts
require guarantees of organisational
resilience, so being able to demonstrate
your ability to survive such incidents may
also provide new business opportunities.
Finally, a growing body of legislation
requires organisations to enhance their
organisational resilience by mitigating risks
and successfully recovering from an
incident, should one occur. An example of
such legislation is the EU Directive on
security of network and information
systems (NIS Directive), which aims to
achieve a high common level of security
across EU member states and is due to be
transposed into national laws by 9 May
2018.
The NIS Directive
The NIS Directive sets a minimum standard
for resilience in essential infrastructure,
which applies to operators of essential
services (OES) and to digital service
providers (DSPs). Individual EU member
states are expected to classify which
sectors and organisations will be subject to
the NIS Directive.
To comply with the Directive’s
requirements, organisations will be

© IT Governance Ltd 2018 2 BC-ISO22301 v1.0

 IT Governance Green Paper
expected to enhance their cyber security by
employing appropriate risk management
and security measures, as well as adequate
incident response capabilities.
Implementing a BCMS would be a sound
approach to complying with the
requirements of the NIS Directive.
There are also requirements for cooperation
between member states, which will support
OES and DSPs that operate across borders,
while also providing the reassurance of a
certain amount of resilience for
organisations operating throughout the EU.
The UK government has recently published
information about how it will be
implementing the requirements of the NIS
Directive, and the Scottish government has
also released its Public Sector Cyber
Resilience Framework.
Principles of a BCMS
ISO 22301 is founded on a number of core
principles. These include:
• Management support;
• A business impact analysis (BIA);
• A risk assessment; and
• A business continuity plan (BCP).
A BCMS aligned with ISO 22301 will reflect
these core principles.
Management support
As with any major project, a BCMS must be
supported by the board and/or senior
management for it to be effective.
Support from management will help to
ensure that:
• Necessary resources will be available;
• The BCMS will be consistent with the
overall strategic direction of the
organisation;
• Continual improvement is promoted;
and
• The project will be supported
throughout the organisation.
If management provide support throughout
the project, staff are more likely to comply
with the BCMS requirements, making it
more effective overall.
© IT Governance Ltd 2018
When planning to implement any
management system, it is important to
remember that the board and/or senior
management are unlikely to commit to a
plan that has not been clearly defined. One
of the first considerations should be the
management system’s scope and
objectives.
BIA
The BIA is perhaps the most critical process
involved in a BCMS. It is used to identify an
organisation’s critical activities and its
dependencies, which are then used to
determine priorities for recovery following a
disruption.
The BIA will help you work out how quickly
each activity needs to be resumed following
an incident.
A critical outcome of the BIA is a recovery
time objective (RTO) for each activity,
which should also take into account that the
impact of an incident usually increases with
time. The RTOs will form the basis of the
BCP.
Risk assessment
A BIA is not in itself enough to prepare your
BCMS, as it only determines the value of
your organisation’s activities. It neglects
other important factors, such as:
• The specific incidents/scenarios that
can affect each of these business
activities;
• How likely these incidents are; or
• How severe these incidents might be.
A risk assessment, on the other hand, does
consider these factors. Ultimately, risk is
about the combination of impact – how
serious an incident would be if it occurred –
and how likely that occurrence is.
This ‘risk score’ can then be compared to
the organisation’s risk acceptance criteria,
which identifies the level of risk it is willing
to accept. This will be heavily influenced by
the nature and size of the organisation.
If the risk is low, you may choose to not do
anything about it, thus accepting its
existence.
3 BC-ISO22301 v1.0
 IT Governance Green Paper
If the risk falls outside the risk acceptance
criteria, the organisation should take action.
This could be an extreme response, such as
suspending an activity altogether, or it
could be something more moderate, such
as getting insured or providing backups.
BCP
The content of the BCP is developed on the
basis of the BIA and risk assessment. This
ensures that it accurately reflects an
organisation’s needs and specific
circumstances.
BCPs often include:
• Contact details for authorities, suppliers
and other interested parties;
• Call trees featuring key staff to ensure
availability of the right competence;
and
• Checklists or steps to be taken in the
case of specific events.
Ultimately, the goal is to stabilise the
situation, allowing the organisation to
continue operating despite the incident.
BCP vs BCMS
The BCP is the core of any BCMS. It records
the actions that an organisation will take in
response to any incident that threatens its
key activities.
It is not uncommon to find organisations
that have a BCP but not a BCMS in place.
As a result, they lack the main benefits of a
management system.
In a full BCMS, the BCP is developed, tested
and reviewed consistently, in line with a
process that becomes more and more
rigorous over time, thereby improving the
BCP.
In addition to this, employees are made
aware of the BCP’s existence through a
formal process, and understand their
assigned roles and responsibilities in the
event of an incident.
Evaluating performance and continual
improvement
In order to meet the requirements of ISO
22301, you need a continual improvement
process. This is generally a good idea even
if you choose to implement a BCMS without
taking the Standard into account, as it
© IT Governance Ltd 2018
ensures your BCMS is able to adapt to new
threats and changes in the business
environment.
ISO 22301 specifically recommends the
Plan-Do-Check-Act (PDCA) model for your
BCMS. The idea is that you first plan what
you intend to do, then execute (or do) that
plan. Next, you check the performance and
decide if anything needs to be fixed or
improved. Finally, you act upon those
decisions.
The performance checking usually occurs
after an exercise (typically on a biannual
basis), internal audit or activation. Testing
the BCP is vital to ensure that your plan
works effectively and people know what to
do if an incident occurs.
Cyber resilience
Cyber resilience is becoming an increasingly
critical survival trait for organisations –
statistics show that the two top threats are
cyber attacks and data breaches.2
Developing cyber resilience involves
implementing cyber security measures
along with measures for business continuity
management.
Cyber resilience typically covers five key
domains:
1. Identify potential threats.
2. Protect yourself against these threats.
3. Detect any breaches and other
incidents.
4. Respond to any incidents that occur.
5. Recover from these incidents.
The fourth and fifth domains, respond and
recover, refer to business continuity
measures. As soon as an attack or other
incident has been discovered, an
organisation should take immediate action
as mandated by its BCP.
Cyber attacks and data breaches are the
two threats that organisations should be
most concerned about, as even the most
stringent information security measures
cannot offer absolute protection. However,
if you are cyber resilient – drawing in key
business continuity practices to keep the
organisation functioning – your organisation
will put itself in a very strong position.
4 BC-ISO22301 v1.0
IT Governance business continuity
resources
IT Governance offers a unique range of products and services, including books, standards,
pocket guides, training courses, staff awareness solutions and professional consultancy
services.

Standards
ISO 22301 BCMS Requirements
The requirements for a BCMS to enable a company to prepare for a disruptive
incident. This standard is essential for an ISO 22301-certified BCMS.

ISO 22313 BCMS Guidance

The international standard for implementing a BCMS that meets the
requirements of ISO 22301.

Books
ISO22301 – A Pocket Guide
ISO22301 – A Pocket Guide will help you understand international business
continuity best practice, and provides guidance on the best way to implement a
BCMS tailored to your organisation.

A Manager’s Guide to ISO22301

This book is full of illustrative examples and practical guidance on developing
and implementing a BCMS. It discusses BIA and risk assessment in the context
of business continuity, and outlines key areas, including strategy, procedures,
testing, evaluation and improvement.

Toolkits
The Complete ISO22301 (BCMS) Toolkit Suite
Accelerate your ISO 22301 BCMS implementation project with this complete
toolkit suite, which includes all the necessary information, direction and tools to
streamline your project.

ISO22301 BCMS Documentation Toolkit

Accelerate your BCMS implementation project and ensure your organisation’s
survival by using this toolkit. It provides an easy-to-use set of customisable
and fully ISO 22301-compliant documentation templates that will save you time
and money.

© IT Governance Ltd 2018 5 BC-ISO22301 v1.0

Training
ISO22301 Certified BCMS Foundation Training Course
This course provides a comprehensive introduction to the ISO 22301:2012
standard and the requirements of a BCMS. Attendees who successfully complete
this one-day classroom course will be awarded the ISO22301 Certified BCMS
Foundation (CBC F) qualification.

ISO22301 Certified BCMS Lead Implementer Training Course

Gain the knowledge and skills required to implement an ISO 22301-compliant
BCMS in your organisation in just three days with this practical course.

ISO22301 Certified BCMS Lead Auditor Training Course

Gain the practical knowledge and skills required to plan and execute BCMS
audits in line with the ISO 22301:2012 requirements with this practical 4.5 day
course.

Consultancy
FastTrack™ Business Continuity Management/ISO 22301 Consultancy
This unique consultancy service helps you to implement a robust BCMS and
achieve ISO 22301 certification, with minimal business disruption and within a
limited budget.

ISO 22301 Internal Audit Service

Benefit from the expertise of qualified auditors with experience of ISO 22301
and the audit process. This service consists of two separate audit days spread
over one year.

ISO 22301 BCMS Managed Service

Benefit from the reliable advice and practical experience of a BCMS specialist to
manage, maintain, audit and continually improve your BCMS in line with the
requirements of ISO 22301.

Business Continuity Management/ISO 22301 Gap Analysis

Get the true picture of your business continuity management programme and
how you measure up against the requirements of ISO 22301. Receive expert
advice on scoping your BCMS project and establish resource requirements for
implementing a BCMS.

© IT Governance Ltd 2018 6 BC-ISO22301 v1.0

IT Governance solutions
IT Governance sources, creates and delivers products and services to meet the evolving IT
governance needs of today’s organisations, directors, managers and practitioners.

IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are designed to work harmoniously
together so you can benefit from them individually and also use different elements to enhance
your cyber security.
Books
We sell sought-after publications covering all areas of corporate and IT governance. Our
publishing team also manages a growing collection of titles that provide practical advice for
staff taking part in IT governance projects, suitable for all levels of staff knowledge,
responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly and adopt
best management practice using pre-written policies, forms and documents.
Visit www.itgovernance.co.uk/product-demos to view and trial our toolkits.
Training
We offer training courses from staff awareness and Foundation courses, through to advanced
programmes for IT practitioners and certified lead implementers and auditors.
Our training team organises and runs in-house and public training courses all year round, as
well as Live Online and distance-learning classes, covering a growing number of IT governance
topics.
Visit www.itgovernance.co.uk/training for more information.
Through our website, you can also browse and book training courses throughout the UK that
are run by a number of different suppliers.
Consultancy
Our company is an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate your IT
GRC (governance, risk, compliance) projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/software for more information.

Contact us: +44 (0)333 800 7000

www.itgovernance.co.uk servicecentre@itgovernance.co.uk

© IT Governance Ltd 2018 7 BC-ISO22301 v1.0

1
Continuity Central, “Business continuity trends and challenges: Survey results”, April 2015, http://www.continuitycentral.com/feature1300.html.
2
Business Continuity Institute, “Horizon Scan Report 2018”, 2018, https://www.thebci.org/uploads/assets/uploaded/a3158900-52d9-4df6-
ae7412ef10f85567.pdf.

© IT Governance Ltd 2018 8 BC-ISO22301 v1.0