ISO 22301:2012 Societal security business continuity management system

Courtesy: ISO 22301:2012 Societal security business continuity management system

ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization.

Organizations that implement a business continuity management system (BCMS) based on the requirements of ISO 22301 can undergo a formal assessment process through which they can obtain accredited certification against this standard. A certified BCMS demonstrates to internal and external stakeholders that the organization is adhering to good practices in business continuity management.

Scope and contents

Similar to other management system standards by ISO, the requirements specified in ISO 22301 are generic and intended to be applicable to all organizations, regardless of type, size, and industry. However, the extent of applicability of the requirements depends on the organization’s environment and complexity.

ISO 22301 is divided into 10 main clauses and has adopted the high-level structure and standardized text set out by Annex L.

The standard is divided as follows:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

The high-level structure of ISO 22301, shared with other ISO management systems standards, such as ISO/IEC 27001, ISO 9001, ISO/IEC 20000-1, create a consistency which can help organizations integrate several management systems. This can help organizations improve efficiency, eliminate duplication, and achieve cost savings.

Any event that could negatively impact operations should be included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, BCP is a subset of risk management. In the U.S., government entities refer to the process as continuity of operations planning (COOP). A Business Continuity Plan outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP’s are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios.

Resilience

A 2005 analysis of how disruptions can adversely affect the operations of corporations and how investments in resilience can give a competitive advantage over entities not prepared for various contingencies extended then-common business continuity planning practices. Business organizations such as the Council on Competitiveness embraced this resilience goal.

Adapting to change in an apparently slower, more evolutionary manner – sometimes over many years or decades – has been described as being more resilient, and the term “strategic resilience” is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, “before the case for change becomes desperately obvious”.

This approach is sometimes summarized as: preparedness, protection, response and recovery.

Resilience Theory can be related to the field of Public Relations. Resilience is a communicative process that is constructed by citizens, families, media system, organizations and governments through everyday talk and mediated conversation.

The theory is based on the work of Patrice M. Buzzanell, a professor at the Brian Lamb School of Communication at Purdue University. In her 2010 article, “Resilience: Talking, Resisting, and Imagining New Normalcies Into Being” Buzzanell discussed the ability for organizations to thrive after having a crisis through building resistance. Buzzanell notes that there are five different processes that individuals use when trying to maintain resilience- crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work and downplaying negative feelings while foregrounding positive emotions.

When looking at the resilience theory, the crisis communication theory is similar, but not the same. The crisis communication theory is based on the reputation of the company, but the resilience theory is based on the process of recovery of the company. There are five main components of resilience: crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work, and downplaying negative feelings while foregrounding negative emotions. Each of these processes can be applicable to businesses in crisis times, making resilience an important factor for companies to focus on while training.

There are three main groups that are affected by a crisis. They are micro (individual), meso (group or organization) and macro (national or interorganizational). There are also two main types of resilience, which are proactive and post resilience. Proactive resilience is preparing for a crisis and creating a solid foundation for the company. Post resilience includes continuing to maintain communication and check in with employees. Proactive resilience is dealing with issues at hand before they cause a possible shift in the work environment and post resilience maintaining communication and accepting chances after an incident has happened. Resilience can be applied to any organization