"ISO 22301, the First Ever ISO Standard for BCM.“Societal Security – Business Continuity Management Systems

Muhammad Ghazali – MBCICBCI, CRISC, ISO 22301 Lead AuditorRegional Head ‐ BCM Consulting Service  Protiviti Middle EastForum Leader, The BCI Kuwait Forum

What is Business Continuity Management(BCM)?

“Plans and actions that provide protection and alternate modes of operation”

What’s In A Name?

Addition of “Societal Security” with “Business Continuity”. 

“Societal Security,” recognizes that no organization operates in a vacuum

Operate within the context of society, through customers, partners, suppliers, local, regional, national and foreign governments, and more.

This change in title is a significant shift between the BS25999:2 and ISO 22301 to explain it is about society

“Societal Security –Business Continuity 

Management Systems

What could cause a business interruption?

Why ISO Standard for Business Continuity? 

› Finally a global standard for Business Continuity Management which speaks thesame language across the boarders

› Auditable Specification to validate the effectiveness

› Clearer expectations from organization’s management

› First standard Developed on Guide 83, which is the new roadmap for standarddeveloper. All ISO Standards will follow the same structure with the new version tocome.

› Making Leadership accountable to inculcate competence besides the awareness.

› Organizations can offer their customers and clients greater assurance continuity,following any disruption

ISO 22301 Vs. BS 25999

› Larger canvas for BCMS

› Expansion in the canvas from Organizational BCMS to Societal Security –BCMS

› Clearer expectation from Top Management

› Leadership participation is required. Top Management leadership shall be more demonstrable and active. 

› More careful planning and preparation of the resource

› Preventive action has been replaced with “actions to address risks and opportunities”  Resilient organizations. 

Overall Structure

Context of Organization

Leadership

Planning

Support

Operation

Performance Evaluation

Improvement9

6

5

7

8

4

10

Plan

DO

Check 

Act

Context of Organization 

Understanding the organization and its environment is an

essential step. i.e. Culture, people, mix of nationalities.

Micro environment i.e. customers, suppliers, partners,

contractors, distributors and arbitrators

Macro environment i.e. Social, Political, economic, ethics of

trade, local regulators, environmental considerations

The parts of the organization to be included in the BCMS

shall be identified. Any exclusions shall not affect the

organization’s ability to provide continuity of its services

and operations.

Organization Policy

Business Continuity Policy

Context of Organization

Context of Organization – Interested Parties4

InvestorsInvestors

ShareholdersShareholders

SuppliersSuppliers

CustomersCustomers

PeoplePeople

Recovery Service Providers

Recovery Service Providers

RegulatorsRegulators

GovernmentGovernment

InsurersInsurers

OwnersOwners

Employee Unions

Employee Unions

NeighborsNeighbors

Industry UnionsIndustry Unions

CompetitorsCompetitors

MediaMedia

Leasers Leasers 

ContractorsContractors

TechnologyTechnology

Concerned AgenciesConcerned Agencies

Staff Dependents

Staff Dependents

Top ManagementResponsible for establishing framework

ManagementOwners of Business Continuity 

Incident Response Team

Media Communicator

Response  Team

Rest of the Organization 

Setting the BC Policy

Ensuring that policies

and objectives of BCMS

are compatible with the

strategic direction of the

organization

&

Communication of the

BCMS vision across

organization

Continual Support to BCMS

That the Continual

Supports is available to

BCMS once

Implemented

Roles, Responsibilities and Authorities

Requires top

management to assign

responsibility for the

establishment,

implementation and

monitoring of the BCMS. 

Leadership

Planning6

› Addition in ISO 22301 which requires 

› the risks and opportunities that need to be 

addressed to ensure that the BCMS can achieve 

its intended outcome

› Ensure about the Business Continuity Objectives 

are aligned to organization 

› identification of responsible individual for 

delivering those objectives.

Support7

› Addition in ISO 22301 which requires 

› An organization to ensure persons are competent on 

the basis of education, training and experience.

› Organization wide awareness of BCM Policy and 

understanding about the effectiveness of BCMS

› Sets out requirements for receiving and responding to 

communications from interested parties, through 

integrated warning system.

Operation8

Requires the organization to ensure processesto manage BCMS 

Conduct Business Impact Analysis, with MTPD, RTO and RPO

Identification of Risk that could impact the prioritized activities

Establish and implement business continuity strategy

Documentation of Business Continuity Plans

Exercise and Testing of BCMS on appropriate  scenarios for continual improvement 

1

2

3

4

5

Performance Evaluation 9

› Yet another addition in ISO 22301 which requires

› Internal Audit and Management Reviewcontinue to be key method of reviewingperformance of BCMS

› Monitoring, measurement, analysis andevaluation to ensure that appropriate metricsare in place and implemented

› Communicate the results of [the] managementreview to relevant interested parties and takeappropriate action

Improvement10

› Management Review › Continual Improvement is based on Japanese Philosophy of 

Kaizen, means “Change for Better”

› ISO 22301 requires that organization shall also ‘evaluate the need for action to eliminate the causes of the nonconformity, by 

› Cause of nonconformity› Need of Improvement › Making Change BCMS› Making Change in business process (if required)

The usual path for an organization that wishes to be certified against ISO 22301 is the 

following:

1. Implementation of the management system

2. Internal audit and review by top management

3. Selection of the certification body (registrar)

4. Pre‐assessment audit (optional)

5. Stage 1 audit for conformity of design

6. Stage 2 audit to evaluate whether the declared management system

7. conforms to all requirements of the standard, is actually being implemented in the 

organization and can support the organization in achieving its objectives. 

8. Follow‐up audit (optional) in the case of non‐conformities that require additional 

9. Confirmation of registration after compliance to the requirement

10. Continual improvement and surveillance audits after certification

Path for Certification

• ISO 22301 is an important next step in the evolution of international 

standards for business continuity, talking single language for Organizational 

resilience 

• Organizations of every size can implement ISO 22301 framework to help 

them achieve a level of maturity within their continuity planning process. 

• So far, the most comprehensive Certifiable requirement for Business 

Continuity Management

Conclusion

Q & A Session

Muhammad Ghazali – MBCICBCI, CRISC, ISO 22301 Lead AuditorRegional Head ‐ BCM Consulting Service  Protiviti Middle EastForum Leader, The BCI Kuwait Forum

m.ghazali@protivitiglobal.me