ISO 22301 BUSINESS CONTINUITY MANAGEMENT
Risk and business continuity management is, without doubt, due diligence. Planning for crisis or disaster is an aspect of management that can only be short changed at your peril. However, it is a complex science, and not a five minute job.
There are of course a range of tools to assist and to help create process. However, until relatively recently, there has been little effort to create a generally accepted framework.
THE EMERGENCE OF ISO 22301
BSI originally published a guide, PAS56, which established the process, principles and terminology of BCM. Specifically, PAS 56 described the activities in and 'outcomes' of establishing a business continuity management process, and provided a series of recommendations for good practice.
It provided a generic management framework for incident anticipation and response, as well as describing evaluation techniques and criteria. It was produced through the British Standards Institution. The sponsors were the BCI and Insight Consulting, although a number of other organizations were consulted during the development, including Sainsbury's, EDS, The Post Office and the OGC.
The Emergence of BS25999
In November 2006 an official standard was published to replace PAS56. This was BS 25999-1. It was produced through the British Standards Institution (Subcommittee BCM/1/-/2), which constituted representatives from a number of organizations and industry bodies. Others were additionally consulted during the development. A year later, in November 2007, a second part was published, stemming from the same subcommittee.
Was It A Standard?
Yes. In fact BS25999 actually embraced two standards: BS 25999-1 and BS 25999-2. The former is a code of practice (which is the document based upon PAS56, as desribed above) and the latter is a specification for business continuity management.
It is also important to understand that a standard did not purport to include all the necessary provisions of a contract.
So What Was It For?
It was intended to provide assistance to the person responsible for implementing business continuity management within an organization. It described a framework and process for the Business Continuity Manager to use and offers a range of good practice recommendations. The second part could also be used to assess an organization's ability to meet regulatory and other requirements, and as such is the basis for certification.
ISO 22301 / ISO22301
This is the ISO standard for business continuity management. BS 25999-2 was used as the foundation for the it, but there were influences from other frameworks throughout the world. It was first published in 2012.
Hopefully this website can offer some instruction and background. Please feel free to browse the pages above. A copy of ISO 22301 itself can be obtained from SD's: ISO 22301 Download Site. Alternatively, it is included in the ISO 22301 Starter Kit.