Académique Documents
Professionnel Documents
Culture Documents
ISO 22301
April 2018
If the risk falls outside the risk acceptance ensures your BCMS is able to adapt to new
criteria, the organisation should take action. threats and changes in the business
This could be an extreme response, such as environment.
suspending an activity altogether, or it
ISO 22301 specifically recommends the
could be something more moderate, such
Plan-Do-Check-Act (PDCA) model for your
as getting insured or providing backups.
BCMS. The idea is that you first plan what
BCP you intend to do, then execute (or do) that
plan. Next, you check the performance and
The content of the BCP is developed on the
decide if anything needs to be fixed or
basis of the BIA and risk assessment. This
improved. Finally, you act upon those
ensures that it accurately reflects an
decisions.
organisation’s needs and specific
circumstances. The performance checking usually occurs
after an exercise (typically on a biannual
BCPs often include:
basis), internal audit or activation. Testing
• Contact details for authorities, suppliers the BCP is vital to ensure that your plan
and other interested parties; works effectively and people know what to
• Call trees featuring key staff to ensure do if an incident occurs.
availability of the right competence;
Cyber resilience
and
• Checklists or steps to be taken in the Cyber resilience is becoming an increasingly
case of specific events. critical survival trait for organisations –
statistics show that the two top threats are
Ultimately, the goal is to stabilise the
cyber attacks and data breaches.2
situation, allowing the organisation to
Developing cyber resilience involves
continue operating despite the incident.
implementing cyber security measures
BCP vs BCMS along with measures for business continuity
management.
The BCP is the core of any BCMS. It records
the actions that an organisation will take in Cyber resilience typically covers five key
response to any incident that threatens its domains:
key activities.
1. Identify potential threats.
It is not uncommon to find organisations 2. Protect yourself against these threats.
that have a BCP but not a BCMS in place. 3. Detect any breaches and other
As a result, they lack the main benefits of a incidents.
management system. 4. Respond to any incidents that occur.
In a full BCMS, the BCP is developed, tested 5. Recover from these incidents.
and reviewed consistently, in line with a
The fourth and fifth domains, respond and
process that becomes more and more
recover, refer to business continuity
rigorous over time, thereby improving the
BCP. measures. As soon as an attack or other
incident has been discovered, an
In addition to this, employees are made organisation should take immediate action
aware of the BCP’s existence through a as mandated by its BCP.
formal process, and understand their
assigned roles and responsibilities in the Cyber attacks and data breaches are the
event of an incident. two threats that organisations should be
most concerned about, as even the most
Evaluating performance and continual
stringent information security measures
improvement
cannot offer absolute protection. However,
In order to meet the requirements of ISO if you are cyber resilient – drawing in key
22301, you need a continual improvement business continuity practices to keep the
process. This is generally a good idea even organisation functioning – your organisation
if you choose to implement a BCMS without will put itself in a very strong position.
taking the Standard into account, as it
Standards
ISO 22301 BCMS Requirements
The requirements for a BCMS to enable a company to prepare for a disruptive
incident. This standard is essential for an ISO 22301-certified BCMS.
Books
ISO22301 – A Pocket Guide
ISO22301 – A Pocket Guide will help you understand international business
continuity best practice, and provides guidance on the best way to implement a
BCMS tailored to your organisation.
Toolkits
The Complete ISO22301 (BCMS) Toolkit Suite
Accelerate your ISO 22301 BCMS implementation project with this complete
toolkit suite, which includes all the necessary information, direction and tools to
streamline your project.
Consultancy
FastTrack™ Business Continuity Management/ISO 22301 Consultancy
This unique consultancy service helps you to implement a robust BCMS and
achieve ISO 22301 certification, with minimal business disruption and within a
limited budget.
IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are designed to work harmoniously
together so you can benefit from them individually and also use different elements to enhance
your cyber security.
Books
We sell sought-after publications covering all areas of corporate and IT governance. Our
publishing team also manages a growing collection of titles that provide practical advice for
staff taking part in IT governance projects, suitable for all levels of staff knowledge,
responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly and adopt
best management practice using pre-written policies, forms and documents.
Visit www.itgovernance.co.uk/product-demos to view and trial our toolkits.
Training
We offer training courses from staff awareness and Foundation courses, through to advanced
programmes for IT practitioners and certified lead implementers and auditors.
Our training team organises and runs in-house and public training courses all year round, as
well as Live Online and distance-learning classes, covering a growing number of IT governance
topics.
Visit www.itgovernance.co.uk/training for more information.
Through our website, you can also browse and book training courses throughout the UK that
are run by a number of different suppliers.
Consultancy
Our company is an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate your IT
GRC (governance, risk, compliance) projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/software for more information.