u Interested parties – replaces “stakeholders”
u Leadership – requirements specific to top
u Maximum acceptable outage (MAO) – “time
it would take for adverse impacts, which
might arise as a result of not providing a
product/service or performing an activity, to
become unacceptable.” This is effectively
the same as maximum tolerable period of
disruption (MTPD) that was in BS 25999-2
u Minimum business continuity objective
(MBCO) – “minimum level of services
and/or products that is acceptable to
the organization to achieve its business
objectives during a disruption”
u Performance evaluation – covers the
measurement of BCMS and BCM
u Warning and communication – activities
undertaken during an incident
Clause 4.0 is a component of "plan" in the Plan Do Check Act (PDCA) cycle. It
introduces requirements necessary to establish the context of the BCMS as it applies
to the organization.
Those familiar with BS 25999 will see that Clause 4.0 is more focused on business
continuity at the organizational level.
It requires that the organization demonstrate an appreciation and understanding of its
reason for existence aligned with the needs and expectations of its stakeholders.
This will determine its business continuity policy and objectives, how it will consider risk,
and the effect of risk on its business.
Consideration of an appropriate scope for the BCMS is required and a link with core
objectives and stakeholder requirements should be evident.
Also, a component of "plan." Clause 5.0 summarizes the requirements specific to top
management’s role in the BCMS, and how leadership articulates its expectations to the
organization via a policy statement.
Clause 5.0 introduces a new focus on top management. Top management leadership
shall be demonstrable towards the management system.
Clause 6.0 introduces an increased focus on planning, and is very much geared toward
making sure that the BCMS links with the objectives of the organization, as well as its
A component of the "plan" describes requirements as it relates to establishing strategic
objectives and guiding principles for the BCMS as a whole. The content of Clause 6.0
differs from establishing risk treatment opportunities stemming from risk assessment,
as well as business impact analysis (BIA) derived recovery objectives.
See a high-level overview and explanation of the structure of ISO 22301:2012 on
There is a growing concern about the
continued increase in business environment volatility that makes the task of
managing business continuity and global
supply chains tougher every day. Changes
over the last few years in the social, political, technology, environment, and economic domains around the world, suggest
that the business landscape and paradigm
of supply-chain management has transformed permanently.
By adopting a standard approach to
BCM as set out in ISO 22301, organizations can offer their customers and clients
greater assurance that they will be capable
of maintaining continuity of operations
and supply-chain if they suffer disruptive
The standard provides a framework to
build the resilience you need to respond
and operate effectively during the most
challenging and unexpected circumstances.
Clause 7.0 is also a component of "plan." It supports BCMS operations as they relate
to establishing competence and communication on a recurring/as-needed basis with
interested parties, while documenting, controlling, maintaining and retaining required
Clause 7.0 places a big focus on understanding the needs of interested parties; in fact,
one will see this mentioned all the way through the new ISO. The new international
standard very much considers the organization as part of the wider community, taking
into account stakeholders all the way to the local environment.
It goes so far as to introduce the notion of unspecified stakeholders, sweeping up more
than just those stakeholders an organization might consider immediately as interested
Clause 7.0 also details the support required to establish, implement and maintain an
effective BCMS, including:
Competence of people involved
Awareness of and communication with interested parties
Requirements for document management
Clause 8.0, a component of "do," defines business continuity requirements, determines
how to address them and develops the procedures to manage a disruptive incident.
The requirements for business continuity plans, including response procedures and
recovery plans are much more detailed too.
Clause 9.0 is a component of "check." It summarizes requirements necessary to
measure BCM performance, BCMS compliance with the international standard and
management’s expectations. Further, it seeks feedback from management regarding
Clause 9.0 introduces a whole new element. Those of you familiar with BS 25999-2
may get concerned, because ISO 22301 places much greater emphasis on setting
objectives, monitoring performance and metrics – therefore bringing business continuity
much closer to the top management way of thinking.
This can be difficult with a BCMS because it’s not just about documenting what you
have in place, but implementing real measureable metrics that monitor the health of
As with all management system standards there is a need to look back at what has
been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions
drawn by the organization.
Frequently Asked Questions
Are you certified to BS 25999-2?
Organization’s holding certification
to BS 25999-2:2007 who wish to retain
Clause 10.0, a component of "act," identifies and acts on BCMS non-conformance
through corrective action.
This clause covers non-conformity and corrective action; the term preventive action is
no longer used and is now referred to as "actions to address risks and opportunities"
and is covered in Clause 6. 1.
Nonconformities of the BCMS have to be dealt together with corrective actions to
ensure they don’t happen again. As with all management system standards, continual
improvement is a core requirement of the standard.