May 05 2025

Security and resilience. Business continuity management systems. Requirements

Category: BCP,Cyber resiliencedisc7 @ 1:08 pm

1. Purpose and Scope:
The concept of business continuity in management systems focuses on preparing organizations to respond effectively to disruptions. Its primary goal is to ensure that essential business functions can continue during and after incidents such as cyberattacks, natural disasters, or system failures. Business continuity planning is an integral part of an organization’s broader risk management and security posture.

2. Integration with Management Systems:
Business continuity must be embedded into the overall management system, aligning with standards like ISO 22301. This integration ensures that continuity planning, implementation, and testing are not isolated activities but coordinated with information security, quality management, and operational strategies. It emphasizes a risk-based approach and continuous improvement.

3. Key Components:
A robust business continuity framework includes a business impact analysis (BIA), risk assessment, recovery strategies, and response plans. These elements help identify critical processes, assess vulnerabilities, and define acceptable downtime and recovery objectives. Regular training, awareness programs, and incident response drills support readiness and resilience.

4. Communication and Leadership Commitment:
Effective business continuity management depends on top-level commitment and clear communication channels. Leadership must allocate resources, define roles, and ensure all employees understand their responsibilities during a crisis. Internal and external communication strategies are also essential to maintain trust and manage stakeholder expectations.

5. Testing and Continuous Improvement:
To ensure resilience, organizations must regularly test and review their business continuity plans. Simulations, audits, and after-action reviews help identify gaps and improve preparedness. Lessons learned from real incidents or exercises should feed into an ongoing cycle of improvement, reinforcing the organization’s ability to adapt and recover quickly.

BS EN ISO 22301:2019+A1:2024 – TC

BS EN ISO 22301 is the international standard which specifies the requirements for a business continuity management system (BCMS). It helps you to identify potential threats to your business and build the capacity to deal with unforeseen events.

It enables an organization to have a more effective response and a quicker recovery, thereby reducing any impact on people, products and the organization’s bottom line.

What are the benefits of BS EN ISO 22301 – Business continuity management systems

BS EN ISO 22301 empowers organizations to put in place a business continuity management system. By implementing its principles and guidelines in your organization, your business can benefit from:

  • Reduced frequency and impact of disruptions
  • Ability to return to “business as usual” as swiftly as possible
  • Cost savings on reducing the impact of disruptions
  • Confidence that your plans are robust and ensures you are resilient and well-placed to deal with change
  • Increased stakeholder confidence and trust
  • Lower insurance premiums

Cyber Resilience – Defence-in-depth principles

Becoming Resilient – The Definitive Guide to ISO 22301 Implementation: The Plain English, Step-by-Step Handbook for Business Continuity Practitioners

ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS)

ISO 22301 Free to read

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: BCMS, ISO 22301

Apr 03 2020

Coronavirus Business Continuity Management Bundle

Category: BCPDISC @ 4:00 pm

#Coronavirus Business Continuity Management (#BCM) Bundle

Ensure your organisation can survive in the face of disaster; learn how to create and implement an effective business continuity plan.

#Coronavirus Business Continuity Management (#BCM) Bundle

Webinar: Business Continuity Management: Impact Analysis and Risk Assessment
httpv://www.youtube.com/watch?v=awLn7yZDKXs

Subscribe to DISC InfoSec blog by Email




Tags: BCMS, Business continuity planning, business impact assessment, Pandemic assessment

Apr 27 2016

Why you should care about ISO 22301?

Category: BCPDISC @ 9:48 pm

bcms

Business Continuity is the term now given to mean the strategies and planning by which an organization prepares to respond to catastrophic events such as fires, floods, cyber-attacks, or more common human errors and accidents

Business Continuity Management System (BCMS) puts such a program in the context of an ISO Management Systems, and ISO 22301:2012 sets a certifiable standard for a BCMS. It is the first and most recognized international standard for business continuity.

Several other standards, particularly BS 25999 have had wide international acceptance, however, they are now largely supplanted by ISO 22301.
The obvious benefits to an organization having a robust, mature business continuity program have been outlined in this Newsletter previously (April, 2015). They center on being able to respond to disruptions so an organization stays in business and meets its obligations and commitments to all stakeholders.
However, there are additional ways that an organization can benefit from adhering to a business continuity standard, particularly ISO 22301. These benefits can accrue from obtaining certification to the Standard, and also from formally aligning to the Standard without actual certification.
For more on additional benefits: So, why should you care about 22301?

Steps in ISO 22301 implementation are the following:
1. Obtain management support
2. Identify all applicable requirements
3. Develop top-level Business Continuity Policy and objectives
4. Write documents that support the management system
5. Perform risk assessment and treatment
6. Perform business impact analysis
7. Develop business continuity strategy
8. Write the business continuity plan(s)
9. Implement training and awareness programs
10. Maintain the documentation
11. Perform exercising and testing
12. Perform post-incident reviews
13. Communicate continuously with the interested parties
14. Measure and evaluate the BCMS
15. Perform internal audit
16. Implement all the necessary corrective and preventive actions, and
17. Perform the management review





Tags: BCMS, ISO 22301

Nov 09 2014

When to use tools for ISO 27001/ISO 22301 and when to avoid them

Category: ISO 27kDISC @ 8:54 pm

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Related articles




Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment

Jun 19 2012

Achieve Best Practice & Win New Business with International IT Standards

Category: cyber security,ISO 27kDISC @ 3:38 pm

International IT Standards help organizations achieve best practice systems and management of their IT processes. Certification against standards can help organizations protect their critical assets, rebuff cyber attacks, help win new business and achieve compliance against regulatory requirements.

ISO27001: Cyber Security Standard (Cheapest price on the web)
ISO27001 helps businesses create a best in class Information Security Management System (ISMS), safeguarding its information assets, protecting its reputation
.
ISO22301: Business Continuity Standard (Published last Month)
ISO22301 sets out the requirements for a Business Continuity Management System (BCMS) and helps organizations ensure they are prepared should an disruptive incident occur, and more importantly, continue trading and return to business as usual as quickly as possible

ISO20000: IT Service Management Standard (Best Seller)
ISO20000 enables IT organizations (whether in-house, outsourced or external) to ensure that their IT service management processes are aligned. This standard specifies the requirements for an service management system (SMS). This standard will help you develop, implement, establish an SMS.




Tags: BCMS, isms, iso 27001, iso20000, ISO22301, SMS