ISO 22301

Accessibility of business continuity plans

Critical

High

Normal

Low

Business continuity plan activation and initial response

Critical

High

Normal

Low

Creating and documenting continuity plans

Critical

High

Normal

Low

10.2: Continual improvement

The organization must demonstrate a commitment to the perpetual refinement of its Business Continuity Management System (BCMS) to ensure its ongoing suitability, adequacy, and effectiveness. This improvement cycle shall be informed by both qualitative assessments and quantitative metrics. Furthermore, the organization is required to leverage the outputs from analysis, evaluation, and management reviews to proactively identify needs and opportunities. These findings must be systematically addressed as integral components of the BCMS's continual evolution.

Related tasks

BCMS improvement program

Critical

High

Normal

Low

Cyber security management

5.1: Leadership and commitment

Executive leadership is fundamentally accountable for the Business Continuity Management System (BCMS). This commitment is demonstrated by aligning BCMS policy with strategic goals and embedding its requirements into operational processes. It is their duty to provide all necessary resources and effectively communicate the importance of continuity throughout the organization. Furthermore, leadership must steer the BCMS toward its objectives, support personnel in their roles, and actively promote a cycle of continuous improvement to enhance its effectiveness.

Related tasks

Management commitment to the BCMS

Critical

High

Normal

Low

Defining the organization's continuity strategy

Critical

High

Normal

Low

8.3.1: Business continuity strategies and solutions

The organization is required to develop and approve a strategic framework for business continuity based on the conclusions of its risk assessment and business impact analysis. This framework must holistically address operational resilience by defining options for managing disruptions across their entire lifecycle—from pre-incident mitigation to in-event response and post-incident recovery. The resulting strategies are to be constructed from a combination of one or more specific technical or procedural solutions.

Related tasks

Development of business continuity strategies covering the full disruption lifecycle

Critical

High

Normal

Low

Defining the organization's continuity strategy

Critical

High

Normal

Low

6.1.2: Addressing risks and opportunities

The organization must formulate a proactive response strategy for all identified risks and opportunities. This strategy requires a clear methodology for integrating and executing the necessary actions within the framework of its business continuity management system (BCMS). Following implementation, the organization is also responsible for establishing a process to evaluate the effectiveness of these actions, ensuring they successfully meet their intended goals.

Related tasks

Planning and evaluating risk and opportunity responses

Critical

High

Normal

Low

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Consideration of risk management results in continuity planning

Critical

High

Normal

Low

7.1: Resources

The organization is responsible for the allocation of all necessary assets required for the Business Continuity Management System (BCMS). This obligation includes ensuring sufficient resources are available throughout the system's entire lifecycle, covering its initial establishment, practical implementation, routine maintenance, and its continuous evolution and enhancement.

Related tasks

Resource management for the BCMS

Critical

High

Normal

Low

9.1: Monitoring, measurement, analysis and evaluation

To assess the operational performance and effectiveness of its Business Continuity Management System (BCMS), the organization must establish a comprehensive monitoring and measurement process. This involves defining the scope of what will be monitored, determining suitable methods for data collection and analysis to ensure valid results, and assigning clear schedules and responsibilities for these activities. The outcomes of all monitoring, measurement, analysis, and evaluation must be retained as documented information to serve as a formal record. This structured approach provides the necessary evidence for evaluating the BCMS's overall efficacy.

Related tasks

BCMS performance monitoring

Critical

High

Normal

Low

Documenting and presenting BCMS evaluation results

Critical

High

Normal

Low

4.2.1: Interested parties

The foundation of an effective Business Continuity Management System (BCMS) rests upon the organization's ability to define its operational context. This requires the identification of all pertinent stakeholders relevant to the BCMS. Furthermore, the organization is obligated to systematically ascertain and document the specific requirements and expectations of these interested parties to ensure the system's objectives are properly aligned. The organization must also consider if any relevant stakeholders have climate change related requirements. (Amd 1:2024).

Related tasks

Assessment of climate change

Critical

High

Normal

Low

Agreements and monitoring

Data processing partner listing and owner assignment

Critical

High

Normal

Low

Documentation of other stakeholders

Critical

High

Normal

Low

Agreements and monitoring

Incident management and response

8.4.5: Recovery

The organization must maintain documented procedures for resuming standard business functions following a disruption. These protocols shall govern the transition away from any temporary measures or contingency arrangements that were activated during the incident. The objective is to ensure a structured and orderly return to normal operations once recovery is possible.

Related tasks

Management of temporary security measures

Critical

High

Normal

Low

Developing and executing a recovery plan

Critical

High

Normal

Low

Incident management and response

Process management and monitoring

8.1: Operational planning and control

To meet information security objectives and implement risk treatment actions, the organization must establish and maintain operational control. This is achieved by defining clear criteria for all relevant processes and ensuring they are executed in accordance with those standards. Sufficient documented evidence must be retained to provide assurance of process conformity. The organization is also responsible for managing change; this includes overseeing planned modifications and evaluating the impact of unforeseen alterations to mitigate adverse effects. Crucially, oversight must extend to all externally provided processes and supply chain elements that are pertinent to the information security framework.

Related tasks

Operational process planning and control

Critical

High

Normal

Low

Retention of documented information for operational control

Critical

High

Normal

Low

Process management and monitoring

Management of planned and unintended operational changes

Critical

High

Normal

Low

Control of outsourced processes and supply chain

Critical

High

Normal

Low

Supplier security

Cyber security management

9.3.1: Management review

The organization’s leadership is accountable for conducting formal assessments of the Business Continuity Management System (BCMS) on a regularly scheduled basis. These periodic evaluations are critical to verify that the continuity framework continues to be appropriate, sufficient, and operationally sound. The purpose of this scrutiny is to confirm the BCMS remains fit for purpose and aligned with the organization's strategic direction and risk appetite, ensuring its ongoing effectiveness.

Related tasks

Implementation and documentation of management reviews

Critical

High

Normal

Low

8.2.3: Risk assessment

The organization is required to establish and maintain a structured risk assessment process. This procedure must ensure the methodical identification of potential threats that could disrupt prioritized business activities and their underlying resources. Following their identification, these risks must undergo a thorough analysis and evaluation. The outcome of this assessment will be a determination of which risks are deemed significant enough to necessitate formal treatment, thereby informing the organization's risk mitigation strategy.

Related tasks

Security strategy and treatment selection criteria

Critical

High

Normal

Low

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Identification of risks endangering the continuity of operations and their handling plans

Critical

High

Normal

Low

8.3.4: Resource requirements

For the successful execution of its chosen business continuity strategies, the organization is required to conduct a comprehensive assessment and provision of necessary resources. This evaluation must extend across multiple domains, including personnel, essential data, and information assets. It should also account for physical infrastructure such as operational sites and associated utilities, along with required equipment and supplies. The scope must further encompass technology and communication infrastructure, transportation logistics, financial backing, and dependencies on external partners and suppliers.

Related tasks

Assessment of business continuity resources

Critical

High

Normal

Low

4.1: Organization and its context

To ensure the Business Continuity Management System (BCMS) achieves its intended results, the organization must conduct a thorough analysis of its operating context. This involves identifying all internal and external factors that are relevant to its core purpose and that impact the BCMS's performance. As a mandatory component of this contextual review, the organization is also obligated to assess whether climate change constitutes a pertinent issue that could affect its continuity capabilities and must be addressed accordingly.

Related tasks

Definition and documentation of the BCMS scope

Critical

High

Normal

Low

Assessment of climate change

Critical

High

Normal

Low

Cyber security management

Identification of internal and external factors for business continuity management

Critical

High

Normal

Low

Incident management and response

8.4.1: Business continuity plans and procedures

The organization must establish and sustain a formal response framework to ensure prompt communication with all relevant parties during an incident. This framework requires documented business continuity procedures, which are to be developed from pre-selected strategies and solutions. These procedures must be structured to guide the activation of continuity measures and effectively manage the organization throughout a disruption. They should be sufficiently detailed to direct immediate response actions while remaining adaptable to the dynamic nature of a crisis. A core focus must be on minimizing the operational impact of incidents, supported by clearly defined roles and responsibilities for all assigned tasks.

Related tasks

Incident warning and communication procedures

Critical

High

Normal

Low

Business continuity procedure design and adaptability

Critical

High

Normal

Low

Creating and documenting continuity plans

Critical

High

Normal

Low

6.1.1: Determining risks and opportunities

The strategic planning for the Business Continuity Management System (BCMS) must be informed by the organization's context and the requirements of interested parties. This process is essential for determining the risks and opportunities that require management. Addressing these elements is mandatory to provide assurance that the BCMS will achieve its stated objectives, prevent or reduce undesired effects, and drive continual enhancement of the system.

Related tasks

Strategic opportunities and positive risks

Critical

High

Normal

Low

Identification and documentation of cyber security risks

Critical

High

Normal

Low

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Risk level accepted by the organization

Critical

High

Normal

Low

Consideration of critical functions in risk management

Critical

High

Normal

Low