ISO:23301 information

Introduction ISO 22301:2012

The full name of this standard is ISO 22301:2012 Societal security - Business continuity management systems - Requirements. The standard was developed by leading experts in the field of business continuity management. The focus of this standard is on performing a Bunisess Impact Analysis (BIA). This includes;

• Ranking your products, services and business activities in order of importance to your business operations.
• Conducting a risk analysis and risk assessment;
• Identifying the risks of interruption to your business operations and taking (preventive) measures.
• Determining Business Continuity Strategies;
• Selecting an approach to be able to prevent or remedy disruptions.
• Establishing concrete crisis management and business continuity plans. These consist of at least:
• Incident Management;
• Alarm management and communication;
• Business Continuity Plans (BCP);
• Recovery plans;
• Testing and exercising of these plans;
• Documented reports with outcomes, recommendations and actions.

Content ISO 23301

According to ISO 22301, the core of business continuity management consists of the following components:

Business impact analysis:

Identification of essential business processes for production and service provision, their interdependencies and required (external) resources and assessment of the effects if these processes do not or cannot function for some time. Risk assessment: identification and assessment of all risks that could lead to disruption of the above-mentioned business processes and planning of measures to prevent the occurrence of risks.

Business continuity strategy:

Determine a continuity strategy based on the results of the previous step (where are the priorities and how do we address them?), identify needed resources and plan preventive and mitigating actions.

Business continuity procedures:

Establish and implement procedures for dealing with disruptive events and continuation of business activities, the organizational approach in case an incident occurs (response structure), alerting and communication (internal and external) and a business continuity plan.

Exercise

All procedures and plans from the previous step should be practised and evaluated for effectiveness.

Recovery:

Procedures and plans for returning to normal operations from temporary emergency arrangements.

The chapter format is the same as the other ISO standards and includes:

1. Introduction
2. Subject matter and scope
3. Normative references
4. Terms and definitions
5. Context of the organization
6. Leadership
7. Planning
8. Support
9. Implementation
10. Performance Evaluation
11. Improvement

Audit protocol

Certification means that an external, independent party *certifying body establishes whether the organization's quality management system meets all standard requirements. To determine this, a certification body (CI) conducts an audit. This first (certification audit) consists of two phases.

The first phase serves;

• To review the documentation
• evaluate the site and site-specific conditions and to have interviews with employees to determine if the organization is prepared for phase two
• to assess the extent to which the organization meets the requirements of the standard and understands the requirements of the standard, particularly with respect to the identification of key performance and aspects, processes and operation of the management system
• gather necessary information regarding the scope of the management system, processes and sites, and relevant statutory and legal aspects
• to see what resources are available for the second phase and to reach agreement with the organization on the development of the second phase audit
• to gain a good understanding of the organization's management system, activities and significant aspects involved

The purpose of the phase two audit is to assess the implementation and effectiveness of the management system. The phase two audit takes place at the organization's site(s). The phase two audit shall include at least the following:

• information and evidence regarding conformity to all requirements of the standard
• performance evaluation, measurement, reporting and assessments done to determine the extent to which goals and objectives have been achieved
• The organization's management system and how the organization meets legal requirements
• The control of the organization's processes
• Internal audits and management review
• Management involvement in the quality policy
• The connection and coherence between the requirements of the standard, the organization's policy, goals and objectives, legal requirements, responsibilities, employee competence, implementation, procedures, performance information, and findings from internal audits.

Subsequently, in the 2 years thereafter, organizations are tested (semi-) annually to assess whether they continue to meet the requirements of the standard. Recertification again consists of 2 phases and occurs in the third year of the first certification. This cycle is maintained.

Deviations

If any non-conformities are noted during an audit, they are recorded in the audit report. The name may vary from one certifying body to another but boils down to the following:

Major non-conformity (Category 1 deviation):

- The absence of effective implementation with regard to one or more system requirements of the standard, or a situation in which it is not or not sufficiently ensured that the product or service will comply with requirements;

- Multiple category 2 non-conformities with regard to a standard requirement for which it has been established that there is no effective implementation within the management system

- A category 2 non-conformity where the required corrective actions have not led to effective implementation will be upgraded to a category 1 finding

The correction, root cause analysis and corrective action plan, together with sufficient evidence of their implementation, must be submitted within 90 days of the last day of audit. Assessment of nonconformities is done through desk research. However, depending on the seriousness of the findings, the auditor may conduct a follow-up visit to confirm that the measures have been taken, to evaluate their effectiveness and to determine whether nomination for certification or continuation of the certificate can take place.

Minor non-conformity (Category 2 deviation):

A lack of discipline or control in the implementation of system or procedural requirements, which does not affect the functioning of the system and/or the meeting of the product/service requirements.

The correction, root cause analysis and corrective action plan must be approved by the lead auditor and verification of the implementation and assessment of the effectiveness of the corrective action must take place at the next visit.

Observation

An observation is not in itself a deficiency, but it may indicate a possible future deficiency if the situation is given too little attention; an observation may also refer to a situation where no appropriate evidence is found to support the determination of a deficiency

Recommendations for improvement

Recommendations for improvement relate to areas and/or processes where - minimum-standard requirements may be met, but where improvement is possible.