ISO 22301 (Business Continuity Management)
ISO 22301 is the internationally recognised Standard in the field of Business Continuity Management (BCM). This Standard replaces PAS 56 and BS 25999.
Structure of ISO 22301
The ISO 22301 Standard is in two parts:-
The first part of the Standard takes the form of general guidance and seeks to establish processes, principals and terminology for BCM.
The second part of the Standard specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only the requirements that can be objectively and independently audited.
A useful means of understanding the difference between the two is that Part 1 is a guidance document and uses the term ‘should’. Part 2, however, is an independently verifiable specification that uses the term ‘shall’. Thus, Part 2 makes the requirements mandatory, and these requirements must be adhered to. Part 1, on the other hand, is merely guidance, from which the individuals have the option to adhere to.
Certification (independent verification) to this standard is available from certification bodies accredited by the United Kingdom Accreditation Service (UKAS) and is a multi stage process usually involving a number assessment visits. The assessor will then make a recommendation that the organization receive certification or not. After initial certification a number of surveillance visits are made as per a plan to ensure that the organization is still in compliance.