ISO 22301

Business Continuity
Management System
Ensure continuity of critical business
functions in the event of disruptions

White paper

Abstract
This white paper provides an overview of ISO 22301, and provides key information in establishing and operating
an effective business continuity management system, as outlined in the standard.

The white paper is intended for all sectors and industries, especially those operating in high risk environment, as
well as business continuity management personnel, including management, information technology engineer and
employees who are involved in implementing or supporting an organisation’s business continuity program.

TÜV SÜD
Contents
1 INTRODUCTION 3

2 WHAT IS ISO 22301? 3

2 WHAT IS ISO 22301? 4

3 ESTABLISHING AN ISO 22301 COMPLIANT

BUSINESS CONTINUITY MANAGEMENT SYSTEM? 5

4 CONCLUSION 11

About TÜV SÜD expert

Low Liang Ngien
Product Specialist, Auditing Centre
Mr. Low is a Product Specialist and Auditor for IT certifications, specifically in the area of
Business Continuity Management (BCM) and Data Centre Management in TÜV SÜD ASEAN,
and is responsible for the development of these products. He has carried out many business
continuity, data centre and information security audits in various sectors, including Financial
Institutions, ICT sector in ASEAN and South Asia.

He is an appointed member of Work Group by the Technical Committee on Security and Privacy
Standards (Information Technology Standard Committee) and helped both InfoComm Development
Authority (IDA) of Singapore and SPRING Singapore to provide technical advisory services to
support the development and review of the Business Continuity / Disaster Recovery standard,
SS 507:2015. Before joining TÜV SÜD, he was with POSBank, providing quality and information
security for the bank’s developed / acquired systems, and its IT and Data Centre operations.

2 ISO 22301 | TÜV SÜD

Introduction
Unexpected disruptions such as of a service, enabling continuity of A successful BCMS must be regarded
natural disasters, power outage, critical functions in the event of a as an integral part of an organisation’s
workers’ strikes, supply chain delays, disruption, and effective recovery normal ongoing management
pandemic outbreaks etc can cripple a thereafter. Implementing an appropriate processes. A company’s plan should
company’s business operations. BCM system helps to protect the vital demonstrate proactive involvement
business systems needed to maintain of the management, allocation of
The Business Continuity Management operations, and allows continuity appropriate and sufficient resources,
System (BCMS) is a process that helps of products or services, thereby and a clear commitment to the
manage risks so as to ensure smooth preserving a company’s market share, implementation of BCM.
operation of an organisation or delivery reputation and brand.

What is ISO 22301?

The ISO 22301 is an international worldwide. The model follows
framework and benchmark the familiar “plan-do-check-act” ISO 22301 specifies the
developed to guide businesses in process for managing and improving requirements to plan,
identifying potential threats to a an organisation’s operations and implement, monitor,
company’s products or services and performance. As such, the availability review, and improve
to build effective backup systems of ISO 22301 enables organizations
and processes to safeguard the to integrate business continuity
a company’s business
stakeholders’ interests. management efforts into their existing
continuity management.
management systems activities. With a formalized BCM
ISO 22301 is based on the management framework and well
system model found in ISO 9001 It provides formal business continuity tested plans, it minimizes
(quality management), ISO 14001 guidelines that will keep businesses uncertainties and
(environmental management), operational during and following confusion.
ISO 27001 (information security), a disruption. It seeks to minimize
ISO 20001 (IT service management), the impact to products or services,
and other management systems used ensuring they are still capable of being
by more than one million organizations delivered or recovered promptly.

TÜV SÜD | ISO 22301 3

ISO 22301 specifies the requirements Establish targets and objectives to ƒƒ Perform test and exercise on
to plan, implement, monitor, review, achieve the goals of the policy. BC Plans to determine that the
and improve a company’s business ƒƒ Identify business / operations risks business continuity procedures
continuity management. It minimizes and associated business impacts and plans address the intended
uncertainties and confusion. (Perform Risk Assessment (RA) and recovery objectives
Business Impact Analysis (BIA)) ƒƒ Monitor, measure and analyse key
ISO 22031 covers every phase of the ƒƒ Determine Business Continuity characteristics that affect the
implementation and operation of a Strategy and develop Business recovery plan
business continuity management Continuity Plan(s) (based on the ƒƒ Review the suitability, adequacy and
system, and provides a framework that result of RA and BIA and aligning to effectiveness of the business
can help organisations accomplish the BC Policy and Objectives) continuity management system
following tasks: ƒƒ Establish and implement business ƒƒ Continually improve an organisation’s
continuity procedures business continuity capabilities and
ƒƒ Develop an organisation policy ƒƒ Determine the resource required to performance
for an effective recovery of key ensure emergency preparedness and
business functions appropriate responses

The benefit of ISO 22301?

By adopting an ISO 22301 compliant ƒƒ Certification is an independent ƒƒ Provide integration with other
business continuity management assessment which marks an organisational management systems
system, organisations can accomplish organization’s commitment, to ensure ƒƒ Identify opportunities for improvement
the following goals: continuity of its business and service throughout the organization
to customers ƒƒ Gain confidence of stakeholders
ƒƒ Guide organizations in using a ƒƒ Facilitate organisation wide by implementing best practices for
systematic approach to develop, communication on the need for business continuity
implement, manage, maintain and preparedness for unexpected
improve its Business Continuity incidents and unwelcome events The ISO 22301 business continuity
Program ƒƒ Promote awareness on the management model can help
ƒƒ Ensure that you are on the right track importance of making a smooth and organisations better manage their
ƒƒ Help organisations to identify and quick recovery limited resources today while also
understand the risks that could ƒƒ Maintain quality and efficiency even supporting for longer term efforts to
disrupt and impact the business when incidents occur improve resiliency with technology.
ƒƒ Assure and give confidence to both ƒƒ Objectively evaluate and prioritise
staff and customers the distribution of resource and
implementation of redundancies

4 ISO 22301 | TÜV SÜD

Establishing an ISO 22301 compliant business
continuity management system?
Developing and implementing a consisting of personnel from resource / sites that may, or will be
business continuity management throughout the organisation. Ideally, available for organization to manage
system is a significant undertaking. participants on the implementation a disruption. This would likely include
For this reason, the commitment and team include personnel from physical facilities, work seats and
support of an organisation’s senior operations, IT, corporate space within organization which
management is critical. communications, risk & controls, are current unused. In addition, the
human resource, purchasing, as well implementation team should identify
While the actual work will likely be as participants from the facilities and the equipment and systems that may
delegated to an implementation team, maintenance departments. be critical. Once these preliminary
management’s commitment to the steps have been completed, the
effort must be unequivocal so that the Establishing team goals as well as a implementation and maintenance
team has the authority to implement regular meeting schedule can help of an ISO 22301 compliant business
the planned activities and efforts. to ensure that the team’s efforts stay continuity management system
on track. A final preliminary step in typically involves the following four
Once a commitment from senior establishing a business continuity phases:
management has been given, an management system is to identify any
implementation team is formed, and all potential existing alternate

A. Business Continuity Planning

Planning is the first phase in Review organisation external This activity helps the organization to
establishing a business continuity and internal issues and Identify / identify its internal and external
management system. A clearly defined understand the needs of Interested factors that create uncertainties;
and documented plan helps to ensure parties – The first planning step is to and therefore, risk. It also determine
the success of the overall effort by identify relevant organization internal exactly what is expected level of
providing a critical framework for the and external issues that may affect services and its business operations,
work to follow. its ability to continue its business and in addition perhaps broadly the list of
services, determine interested parties’ critical business functions that are
Organisation shall determine the expectation of its business and required to support these services and
risks and opportunities that need operations with the goal of identifying business deliverables.
to be addressed to ensure that the organization’s activities, functions,
management system can achieve services, products, partnerships,
its intended outcomes, prevent or supply chains and the potential impact
reduce undesired effects and achieve related to a disruptive incident.
continual improvement. At a minimum,
effective planning involves the
following activities:

TÜV SÜD | ISO 22301 5

Determine the policy and scope Identify Business Continuity their recovery. The objectives usually
for business continuity – With Objectives and Recovery Targets include time based targets (e.g. MTPD,
the understanding of organization (Maximum Tolerable Period of RTO, etc). The action plans shall
issues and interested parties Disruption, Minimum Business identify the parties responsible for
expectation and requirements, it Continuity Objectives) – Based on plan implementation, the time frame
provides the information necessary the identified requirements, policy for completion, a statement of the
for management to set organisation and scope, organization can now method used to verify the results, and
risk criteria taking into account the define business continuity objectives, a statement of the method used to
its risk appetite, establish the policy recovery targets and action plans to verify business continuity recovery
and scope of its business continuity achieve these targets. Objectives and improvements.
and what organization wants to targets should be consistent with the
achieve with its business continuity organisation’s business continuity
management system. policy, and include time frames for

B. Implementation and operation

With a plan in place, implementation can now begin. The implementation phase includes the following activities:

Competence, training and awareness In addition, an organization should Documentation – An organization must
– An effective business continuity identify any training needs associated document, either in paper or electronic
management system is based on the with its efforts to maintain the form, the core elements of its business
competence of all personnel involved. operation of its business continuity continuity management system. The
An organisation must ensure that all management system, and document all documentation shall include:
employees, as well as vendors and training efforts.
suppliers, are knowledgeable about: ƒƒ Scope and boundaries of the
Communication – An organization organisation’s business continuity
ƒƒ Benefits of having well should routinely provide employees management system
established plan and being prepared with information about new and ƒƒ Organisation’s business
ƒƒ Threats / risks and their impacts potential threats / risks that may continuity policy
to business course business disruption, the ƒƒ Business continuity objectives,
ƒƒ Right approach to risk assessment impact of these threats / risks and targets and action plans
and business impact analysis updates on changes / improvement ƒƒ Approach to business
ƒƒ Organisation business continuity its business continuity management impact analysis
strategies and its recovery plans system, and create a process ƒƒ Risk assessment methodology
ƒƒ Objectives and importance of that allows employees and others ƒƒ Business continuity strategy
integrated test and exercise working on its behalf to make ƒƒ Business continuity plan / plans
ƒƒ Importance of conformity with suggestions for improving the ƒƒ Approach for its tests / exercises
the procedures and requirements of system. If an organization decides and their plans
the organisation’s business continuity to provide information about its ƒƒ Documents and records as
management system business continuity policy to external required by ISO 22301
ƒƒ How their activities contribute to audiences, it should establish and ƒƒ Any other documents determined
the achievement of the organisation’s implement an appropriate method to to be necessary for the effective
business continuity goals manage this communication. management the system

6 ISO 22301 | TÜV SÜD

Document control – In addition to the a) Perform Business Impact Analysis d) Business continuity strategy
above documentation requirements, (BIA) formulation
an organisation must also establish This activity enables an organization After requirements (business recovery
and maintain suitable processes and to analyse the potential impact of priorities and timescales) have been
procedures to approve documents a disruption, identify the critical established through the BIA and the
for use, to periodically review and processes / business functions RA, strategies can be developed
update documents as necessary, and that support its key products and to identify arrangements that will
to ensure that relevant versions of services, the interdependencies enable the organization to protect
applicable documents are available to between processes and the resources and recover critical activities based
those who need them. required to operate the processes at a on organizational risk tolerance
minimally-acceptable level. and within defined recovery time
Operational control – A key aspect priorities and timescales. Resource
of the implementation and operation b) Perform Risk Assessment (RA) requirements (people; information and
phase is the organizing and managing The goal of this requirement is to data; building, work environment and
them (implementation and operation) establish, implement, and maintain a associate utilities; facilities, equipment
in a manner consistent with an formal documented risk assessment and consumable; information and
organisation’s business continuity process that systematically identifies, communication technology (ICT)
policy, objectives, targets and action analyzes, and evaluates the threat / systems; transportation; finance;
plans. This includes establishing the risk risk of disruptive events / incidents partners and suppliers) to implement
assessment methodology and criteria to the organization. Organisation the selected strategies is also
to assess business impact on service will also evaluate which threat / risks determined and established. All in
disruption. Documented processes events required treatment, identify the all, the business continuity strategy
and procedures needed to meet treatments commensurate with business should be an integral component of an
requirements and to implement action continuity objectives and in accordance institution’s corporate strategy.
plans determined shall be developed.  to organisation’s risk appetite.
e) Develop business continuity plan
The approach typically consist of a c) Establishing business recovery and procedures
number of discrete stages together priorities, timescales and requirements At this stage, organization shall
aimed at achieving a comprehensive The result from both BIA and RA allows develop, document, implement and
and viable business continuity plan organization to determine its recovery maintain the business continuity
that will fully meet the requirements of priority and recovery timescales. procedures to manage and response to
organisation in the event of a disruption:

TÜV SÜD | ISO 22301 7

disruptive events / incidents and how ƒƒ Be effective in minimizing strategies are capable of providing
it continue or recover activities within consequences through implementation the recovery within the timeframes
a predetermined timeframe based on of appropriate mitigation strategies expected / set, which becomes the
recovery objectives identified during benchmark for further improvement.
the BIA and RA phase. According to f) Plan and execute business continuity
ISO 22301:2012, the procedures shall : plan testing g) Ongoing business continuity
As business continuity procedures plan maintenance
ƒƒ Establish an appropriate internal and is not something we execute on a The business continuity procedures
external communications protocol; daily basis like our daily operations and plans like all organization’s
ƒƒ Be specific regarding the immediate procedures, identifying potential gaps, processes and procedures will
steps that are to be taken during blind spots or issues embedded within undergo review, updates, changes
a disruption; the procedures post a challenge. and continual improvement. Gaps
ƒƒ Be flexible to respond to Exercising and testing in this case, and issues identified during exercise
unanticipated threats and changing plays an important role of the entire and testing, various review (e.g.
internal and external conditions; implementation. To ensure that management review and internal
ƒƒ Focus on the impact of events that business continuity procedures are audits) and feedback channels,
could potentially disrupt operations; consistent with its business continuity external and internal organizational
ƒƒ Be developed based on stated objectives, an organization will have changes; planned regular impact and
assumptions and an analysis of to test them regularly. Exercising risk review are some of the means
interdependencies; and; and testing are the processes of organization can make use of to gather
validating business continuity plans inputs for improvement.
and procedures to ensure the selected

Approach to business continuity planning

Conduct of Business Impact

Analysis Review,
Assessment of Risks, then Impact, priorities, timescales
based on these results – for recovery and minimum
Establishment of Business requirements
Recovery Priorities,
Timescales & Requirements

Options for meeting priorities,

Business Continuity timescales and minimum Security
Strategy Formulation requirements, and Risk controls
recommendations Reduction incl. for
resilience
Plans(s), organisation,
Business Continuity
responsibilities, logistics,
Plan Production
detailed action tasklist

Testing of Business Test strategy and test plans,

Continuity Plan testing and evidence

Ongoing Maintenance Ongoing maintenance activity

8 ISO 22301 | TÜV SÜD

C. Checking
Continuous checking of the key Evaluation of compliance with
characteristics of an organisation’s legal and other requirements – An
risks and impact, business continuity organisation shall periodically
capabilities and its achievement of evaluate its compliance with
objectives, targets and action plans is legal requirements and any other
an essential element of the process, applicable standards and guidelines
ensuring that implementation activities in relation to the requirements of its
are producing the desired results implemented business continuity
and achieving the anticipated risks management system.
efficiencies. The checking phase
includes the following activities: Internal audit of the business
continuity management system – At
Monitoring, measurement and planned intervals, an organisation
analysis – This aspect of the checking shall conduct internal audits of the
phase includes the monitoring, business continuity management
measurement and analysis of the system to ensure that the system
following specific areas : conforms with the business continuity
objectives and targets that have
ƒƒ Determining and implementing
ƒƒ Exercise and testing result been established, and that the
appropriate corrective or preventive
ƒƒ Post-incident reporting implementation and maintenance of
actions
ƒƒ Ever change threats / risks the system is producing anticipated
ƒƒ Reviewing the effectiveness of
and their impacts capabilities and improvements.
corrective or preventative actions
ƒƒ Effect The results of these audits shall be
ƒƒ Maintaining records of all corrective
ƒƒ Effectiveness of business continuity documented and reported to the
actions
procedures and plans created to organisation’s management.
achieve the defined business An organisation shall also make any
continuity objectives and targets Corrective actions – An changes necessary to its business
organisation should be prepared to continuity management system to
The results from the monitoring and take correction actions as necessary prevent the future occurrence of
measuring of these key characteristics to address any non-conformities nonconformities.
must be documented, and the with the planned operation of the
organization must investigate and organisation’s business continuity Record control – The final aspect
respond to significant gaps identified. management system. Specific actions of the checking phase involves
In addition, an organisation must should include: the maintenance of records and
ensure that scenarios used in other documentation necessary
exercises to test key characteristics ƒƒ Reviewing actual or potential to demonstrate the organisation’s
of the business continuity procedures nonconformities ongoing compliance with the
and plans are realistic. Post mortem of ƒƒ Identifying the causes of requirements of its business continuity
every each and every exercise should nonconformities management system as well as those
be conducted and documented. Finally, ƒƒ Evaluating the need for action to of ISO 22301. Controls shall also
an organisation must periodically prevent further recurrence include provisions for record retention
review its measurement needs. and retrieval.

TÜV SÜD | ISO 22301 9

D. Management review
In the management review phase, an ƒƒ Opportunities for improvement ƒƒ To review lesson learnt and actions
organisation takes an objective look ƒƒ A review of the results of internal arising from disruptive events
at the overall effort from a strategic audits (including that of key suppliers ƒƒ Any emerging good practice and
point of view. The review phase also and partners) guidance that may have been identified
typically includes a briefing for senior ƒƒ An evaluation of the technique,
management on the progress and the products or procedures, which The management review itself will
results of the targets and action plans, could be used in the organization typically result in decisions or actions
and the overall effectiveness of the to improve the business continuity related to continual improvement
organisation’s business continuity management system’s performance opportunities and changes in the
management system (BCMS). and effectiveness following areas:
ƒƒ Status of corrective actions initiated
In preparing for the management ƒƒ A review on the results of exercising ƒƒ Organization business
review, an organisation shall consider and testing continuity policy
and evaluate all of the following ƒƒ An evaluation of risks or issues not ƒƒ Objectives, targets and other
performance considerations in adequately addressed in any previous element if the organization’ BCMS
connection with its BCMS : risk assessment ƒƒ Update of risk assessment, business
ƒƒ To review if any changes (both impact analysis, risk treatment plans,
ƒƒ Follow-up actions from any prior internal and external to the scope procedures and control to respond to
management reviews of certification) that could affect disruptive events
ƒƒ A review of the adequacy of organization BCMS ƒƒ Allocation of resources to
organisation’s business continuity’s ƒƒ Additional recommendations for manage business continuity activities
policy and if there is a need to change improvement
both its policy and objectives

10 ISO 22301 | TÜV SÜD

Conclusion
Being prepared by having an effective other management systems, such In addition to the certification of
business continuity management as ISO 9001, ISO 27001 and ISO business continuity management
system and recovery strategy is an 20000-1, allowing organisations to systems to ISO 22301, TÜV SÜD
increasingly important aspect of leverage their existing investments in offers a range of business continuity,
organisational performance. ISO 22301 management system compliance. information security and risk related
provides a clearly defined roadmap for audits and certifications, including
organisations seeking to implement TÜV SÜD is an internationally ISO 27001, SS 584 (Muti-Tier Cloud
and maintain a business continuity recognised testing, inspection and Security) SS 507 (Business Continuity
management system that can help certification organisation, with hundreds and Disaster Recover Standard for
organization to be prepared and ready of technical experts in more than Service Providers) and ISO 31000, as
to handle business disruptions such 30 countries around the world. This well as training services in Personal
that they could quickly and effective extensive network makes TÜV SÜD an Data Protection Act, ISO 20000-1 and
recover critical business operations effective single source for organisations all the above mentioned standards and
minimizing the impact on its services seeking expertise in the certification guidelines.
to customers. The structure of ISO and auditing of business continuity
22301 is also consistent with that of management systems of all types.

TÜV SÜD | ISO 22301 11

GLOSSARY OF ACRONYMS
BCMS – Business Continuity Management Systems
RA – Risk Assessment
BIA – Business Impact Analysis
ICT – Information and Communication Technology

COPYRIGHT NOTICE
The information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication. This
White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable copyright laws
is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD. TÜV SÜD may have patents, patent
applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from TÜV SÜD,
the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF
THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT LAWS. © TÜV SÜD Group – 2016 – All rights reserved - TÜV SÜD is a
registered trademark of TÜV SÜD Group.

DISCLAIMER
All reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content
contained in this newsletter. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this newsletter. This
newsletter is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this newsletter is not
intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this newsletter, you should – where appropriate – contact us
directly with your specific query or seek advice from qualified professional people. The information contained in this newsletter may not be copied, quoted, or referred to in any other publication or
materials without the prior written consent of TÜV SÜD. All rights reserved © 2013 TÜV SÜD.

12 ISO 22301 | TÜV SÜD

Keep businesses operational
during and following a disruption
www.tuv-sud-psb.sg/sg-en/activity/auditing-system-certification
[email protected]

Choose certainty. Add value.

TÜV SÜD is a premium quality, safety and sustainability solutions provider that specialises in testing, inspection, auditing,
certification, training and knowledge services. Represented in over 800 locations worldwide, we hold accreditations in
Europe, the Americas, the Middle East and Asia. By delivering objective service solutions to our customers, we add tangible
value to business, consumers and the environment.

Our ASEAN offices

SINGAPORE CAMBODIA INDONESIA MALAYSIA
TÜV SÜD PSB Pte Ltd TÜV SÜD Cambodia TÜV SÜD Indonesia TÜV SÜD Malaysia
Tel: +65 6778 7777 Tel: +855 23 500 25 25 Tel: +62 21 2986 5795/96 Tel: +60 3 5103 8128
2016 © TÜV SÜD PSB Pte Ltd | PSB-MKG/XX/X.0/en/SG

Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

www.tuv-sud-psb.sg www.tuv-sud-psb.sg www.tuv-sud.co.id www.tuv-sud.my

PHILIPPINES THAILAND VIETNAM

TÜV SÜD PSB Philippines TÜV SÜD Thailand TÜV SÜD Vietnam
Tel: +63 2 687 5673 Tel: +66 2 564 8041 Tel: +84 08 6267 8507
Email: [email protected] Email: [email protected] Email: [email protected]
www.tuv-sud-psb.ph www.tuv-sud.co.th www.tuv-sud.vn

13 ISO 22301 | TÜV SÜD