How to Achieve and Maintain ISO 22301 Business Continuity Management Certification?

In this article we will understand how to achieve and maintain ISO 22301 Business Continuity Management (BCM) certification for any organization. We’ll discuss about artifacts, compliance requirements and future generation automated tool which can be customized to obtain all compliance requirements. Our discussion includes scope, resources from IT/ Business side for this mandatory compliance.

Set the expectation and define ownership

It is always important to clear the expectations from the customer and also make the customer understand that, if one is heading towards ISO 22301 business continuity management certification, the program to follow will be under customer’s official ownership. You or any vendor in business continuity consulting team is merely facilitator, implementer or advisor. This expectation needs to be documented well. You need to assure customer, that, though business continuity team shall always standby, it is the customer who is going to ultimately face the auditor. All circulars, advisories, authorizations given under security program shall go from customer’s office. However, you must also understand that ownership is entirely yours, if scope of certification is defined as work carried out by you as vendor; however, such requirements are scarce. So, now you might be gaining, why defining scope is so important, as somewhere it also translate the ownership of business continuity program.

However, ownership never means that as a service provider who facilitates ISO certification, we are relieved of our responsibilities as well. Once we talk about selection of ISO 22301 business continuity controls, we shall touch upon how ownership of implementing, maintaining business continuity controls remains with applicable stakeholders who all report to owner for ensuring customer’s assurance w.r.t business continuity program.

Understand about ISO 22301 BCMS compliance and mandatory controls

Let us understand something more about ISO 22301 compliance / standard before we actually go in for working steps.

If one is undergoing BCMS certification ISO 22301 each and every statement written under these sections are required to be complied with and is auditable during certification audit. Why? Because, these sections build base of an organization’s BCMS program or in other words compliance to these sections shall assure an auditor that you have a reliable security framework in place to sustain your certification, if attained.

  1. Pre-planning stages
    • BCM Scope and Objectives
    • BCM Senior Management buy for direction and dedicated Budget
    • BCM Project Initiation, Risk Assessment and Controls
    • Business Impact Analysis
  2. Planning stages
    • Developing business continuity strategy
    • Emergency response and Critical Incident Management Plans and Call Tree Exercise
    • Development of Business Continuity Plans and Business Recovery Procedure
  3. Post planning stages
    • Business Continuity awareness, competency based training for embedding BCMS Culture
    • Maintaining and Exercising Business Continuity Plans
    • Public Relation and Crisis Communication Plans
  4. Evaluation stages
    • Internal and External Audit with Corrective and Preventives Actions
    • Key Performance Indicator for BCMS Components
But some organizations shall say, though I am implementing ISO 22301 , don’t have a requirement of undergoing certification now or may be have a deferred plan, so do I still need to comply with these controls? Answer is, In case you are destined to go in for certification, sooner or later, the early you go in complying with these mandatory controls, the easier you find the way ahead. Even if, you are not in for a certification, I would suggest, still go for them, to the extent possible or may be in bit diluted manner, because as I said this article is the base of your entire business continuity management program and who in this world doesn’t want a strong foundation.
There are some web based automated tool which can support ISO 22301 controls to be implemented. If you use those new generation business continuity management easily customizable software, it will be easy for you to achieve and maintain ISO 22301 BCMS certifications.

Authored by Rajib Das

View author's LinkedIn profile

Rate this article: 
Average: 5 (1 vote)
Article category: