The ISO 22301: 2012 defines the international standard for the business continuity of an organization.
The ISO 22301 standard specifies the requirements for planning, implementing, managing and continuously improving a documented management system to prepare, react and recover from unforeseeable or accidental events, such as:
The standard has been developed to minimise the risk of interruption of the activities of each organisation.
The application of the ISO 22301 requirements allows companies to be able to demonstrate to the stakeholders that there is a business continuity management system modeled on best practices recognised worldwide.
The standard requires working on broad objectives, for this reason it is not prescriptive and can be applied by all organisations, regardless of their size or whether they operate on local, national and global markets or whether they are public or private.
Initially the efforts must be aimed at understanding the nature of the organisation, identifying the critical activities, assessing the potential threats and the impact related to a possible interruption of the work/production activity, determining the continuity requirements and the risk propensity.
In this way it is possible to identify the scope of application of the Business Continuity Management System (BCMS), taking into account:
- Strategic business objectives
- Key products and services
- Processes necessary to achieve them and correlation with the organisational structure
- Risk propensity and applicable regulatory and contractual obligations.
The development of the plan can follow the phases of the Deming cycle (PDCA):
A Business Continuity plan must be continuously tested and updated to achieve maximum compliance with the needs of the business, even a small change in any basic component of the process can alter the effectiveness of the plan.
The guarantee of success depends on some factors connected to each other, including:
- Continuous updating of solutions
- Continuous evaluation of the relationship between cost / complexity of the solution and between value / priority of the business and regulation of the protected process
- Overall costs
- Extent of impact between the functions involved