ISO 22301

Business Continuity
Management System
Ensure continuity of critical business
functions in the event of disruptions

White paper

Abstract
This white paper provides an overview of ISO 22301, and provides key information in establishing and operating
an effective business continuity management system, as outlined in the standard.

The white paper is intended for all sectors and industries, especially those operating in high risk environment, as
well as business continuity management personnel, including management, information technology engineer and
employees who are involved in implementing or supporting an organisation’s business continuity program.

TÜV SÜD
Contents
1 INTRODUCTION 3

2 WHAT IS ISO 22301? 3

2 WHAT IS ISO 22301? 4

3 ESTABLISHING AN ISO 22301 COMPLIANT

BUSINESS CONTINUITY MANAGEMENT SYSTEM? 5

4 CONCLUSION 11

About TÜV SÜD expert

Low Liang Ngien
Product Specialist, Auditing Centre
Mr. Low is a Product Specialist and Auditor for IT certifications, specifically in the area of
Business Continuity Management (BCM) and Data Centre Management in TÜV SÜD ASEAN,
and is responsible for the development of these products. He has carried out many business
continuity, data centre and information security audits in various sectors, including Financial
Institutions, ICT sector in ASEAN and South Asia.

He is an appointed member of Work Group by the Technical Committee on Security and Privacy
Standards (Information Technology Standard Committee) and helped both InfoComm Development
Authority (IDA) of Singapore and SPRING Singapore to provide technical advisory services to
support the development and review of the Business Continuity / Disaster Recovery standard,
SS 507:2015. Before joining TÜV SÜD, he was with POSBank, providing quality and information
security for the bank’s developed / acquired systems, and its IT and Data Centre operations.

2 ISO 22301 | TÜV SÜD

Introduction
Unexpected disruptions such as
natural disasters, power outage,
workers’ strikes, supply chain delays,
pandemic outbreaks etc can cripple a
company’s business operations.
The Business Continuity Management operations, and allows continuity
System (BCMS) is a process that helps of products or services, thereby
manage risks so as to ensure smooth
operation of an organisation or delivery reputation and brand.
What is ISO 22301?
The ISO 22301 is an international
framework and benchmark
developed to guide businesses in
identifying potential threats to a
company’s products or services and
to build effective backup systems
and processes to safeguard the
stakeholders’ interests.
ISO 22301 is based on the management
system model found in ISO 9001
(quality management), ISO 14001
(environmental management),
ISO 27001 (information security),
ISO 20001 (IT service management),
and other management systems used
by more than one million organizations
TÜV SÜD | ISO 22301
of a service, enabling continuity of
critical functions in the event of a
disruption, and effective recovery
thereafter. Implementing an appropriate
BCM system helps to protect the vital
business systems needed to maintain
preserving a company’s market share,
worldwide. The model follows
the familiar “plan-do-check-act”
process for managing and improving
an organisation’s operations and
performance. As such, the availability
of ISO 22301 enables organizations
to integrate business continuity
management efforts into their existing
management systems activities.
It provides formal business continuity
guidelines that will keep businesses
operational during and following
a disruption. It seeks to minimize
the impact to products or services,
ensuring they are still capable of being
delivered or recovered promptly.
A successful BCMS must be regarded
as an integral part of an organisation’s
normal ongoing management
processes. A company’s plan should
demonstrate proactive involvement
of the management, allocation of
appropriate and sufficient resources,
and a clear commitment to the
implementation of BCM.
ISO 22301 specifies the
requirements to plan,
implement, monitor,
review, and improve
a company’s business
continuity management.
With a formalized BCM
framework and well
tested plans, it minimizes
uncertainties and
confusion.
3
ISO 22301 specifies the requirements Establish targets and objectives to ƒƒ Perform test and exercise on
to plan, implement, monitor, review, achieve the goals of the policy. BC Plans to determine that the
and improve a company’s business ƒƒ Identify business / operations risks business continuity procedures
continuity management. It minimizes and associated business impacts and plans address the intended
uncertainties and confusion. (Perform Risk Assessment (RA) and recovery objectives
Business Impact Analysis (BIA)) ƒƒ Monitor, measure and analyse key
ISO 22031 covers every phase of the ƒƒ Determine Business Continuity characteristics that affect the
implementation and operation of a Strategy and develop Business recovery plan
business continuity management Continuity Plan(s) (based on the ƒƒ Review the suitability, adequacy and
system, and provides a framework that result of RA and BIA and aligning to effectiveness of the business
can help organisations accomplish the BC Policy and Objectives) continuity management system
following tasks: ƒƒ Establish and implement business ƒƒ Continually improve an organisation’s
continuity procedures business continuity capabilities and
ƒƒ Develop an organisation policy ƒƒ Determine the resource required to performance
for an effective recovery of key ensure emergency preparedness and
business functions appropriate responses

The benefit of ISO 22301?

By adopting an ISO 22301 compliant
business continuity management
system, organisations can accomplish
the following goals:
ƒƒ Guide organizations in using a
systematic approach to develop,
implement, manage, maintain and
improve its Business Continuity
Program
ƒƒ Ensure that you are on the right track
ƒƒ Help organisations to identify and
understand the risks that could
disrupt and impact the business
ƒƒ Assure and give confidence to both
staff and customers
ƒƒ Certification is an independent
assessment which marks an
organization’s commitment, to ensure
continuity of its business and service
to customers
ƒƒ Facilitate organisation wide
communication on the need for
preparedness for unexpected
incidents and unwelcome events
ƒƒ Promote awareness on the
importance of making a smooth and
quick recovery
ƒƒ Maintain quality and efficiency even
when incidents occur
ƒƒ Objectively evaluate and prioritise
the distribution of resource and
implementation of redundancies
ƒƒ Provide integration with other
organisational management systems
ƒƒ Identify opportunities for improvement
throughout the organization
ƒƒ Gain confidence of stakeholders
by implementing best practices for
business continuity
The ISO 22301 business continuity
management model can help
organisations better manage their
limited resources today while also
supporting for longer term efforts to
improve resiliency with technology.

4 ISO 22301 | TÜV SÜD

Establishing an ISO 22301 compliant business
continuity management system?
Developing and implementing a
business continuity management
system is a significant undertaking.
For this reason, the commitment and
support of an organisation’s senior
management is critical.
While the actual work will likely be
delegated to an implementation team,
management’s commitment to the
effort must be unequivocal so that the
team has the authority to implement
the planned activities and efforts.
Once a commitment from senior
management has been given, an
implementation team is formed,
A. Business Continuity Planning
Planning is the first phase in
establishing a business continuity
management system. A clearly defined
and documented plan helps to ensure
the success of the overall effort by
providing a critical framework for the
work to follow.
Organisation shall determine the
risks and opportunities that need
to be addressed to ensure that the
management system can achieve
its intended outcomes, prevent or
reduce undesired effects and achieve
continual improvement. At a minimum,
effective planning involves the
following activities:
TÜV SÜD | ISO 22301
consisting of personnel from
throughout the organisation. Ideally,
participants on the implementation
team include personnel from
operations, IT, corporate
communications, risk & controls,
human resource, purchasing, as well
as participants from the facilities and
maintenance departments.
Establishing team goals as well as a
regular meeting schedule can help
to ensure that the team’s efforts stay
on track. A final preliminary step in
establishing a business continuity
management system is to identify any
and all potential existing alternate
Review organisation external
and internal issues and Identify /
understand the needs of Interested
parties – The first planning step is to
identify relevant organization internal
and external issues that may affect
its ability to continue its business and
services, determine interested parties’
expectation of its business and
operations with the goal of identifying
organization’s activities, functions,
services, products, partnerships,
supply chains and the potential impact
related to a disruptive incident.
resource / sites that may, or will be
available for organization to manage
a disruption. This would likely include
physical facilities, work seats and
space within organization which
are current unused. In addition, the
implementation team should identify
the equipment and systems that may
be critical. Once these preliminary
steps have been completed, the
implementation and maintenance
of an ISO 22301 compliant business
continuity management system
typically involves the following four
phases:
This activity helps the organization to
identify its internal and external
factors that create uncertainties;
and therefore, risk. It also determine
exactly what is expected level of
services and its business operations,
in addition perhaps broadly the list of
critical business functions that are
required to support these services and
business deliverables.
5
Determine the policy and scope
for business continuity – With
the understanding of organization
issues and interested parties
expectation and requirements, it
provides the information necessary
for management to set organisation
risk criteria taking into account the
its risk appetite, establish the policy
and scope of its business continuity
and what organization wants to
achieve with its business continuity
management system.
Identify Business Continuity
Objectives and Recovery Targets
(Maximum Tolerable Period of
Disruption, Minimum Business
Continuity Objectives) – Based on
the identified requirements, policy
and scope, organization can now
define business continuity objectives,
recovery targets and action plans to
achieve these targets. Objectives and
targets should be consistent with the
organisation’s business continuity
policy, and include time frames for
their recovery. The objectives usually
include time based targets (e.g. MTPD,
RTO, etc). The action plans shall
identify the parties responsible for
plan implementation, the time frame
for completion, a statement of the
method used to verify the results, and
a statement of the method used to
verify business continuity recovery
improvements.

B. Implementation and operation

With a plan in place, implementation can now begin. The implementation phase includes the following activities:

Competence, training and awareness In addition, an organization should Documentation – An organization must
– An effective business continuity identify any training needs associated document, either in paper or electronic
management system is based on the with its efforts to maintain the form, the core elements of its business
competence of all personnel involved. operation of its business continuity continuity management system. The
An organisation must ensure that all management system, and document all documentation shall include:
employees, as well as vendors and training efforts.
suppliers, are knowledgeable about: ƒƒ Scope and boundaries of the
Communication – An organization organisation’s business continuity
ƒƒ Benefits of having well should routinely provide employees management system
established plan and being prepared with information about new and ƒƒ Organisation’s business
ƒƒ Threats / risks and their impacts potential threats / risks that may continuity policy
to business course business disruption, the ƒƒ Business continuity objectives,
ƒƒ Right approach to risk assessment impact of these threats / risks and targets and action plans
and business impact analysis updates on changes / improvement ƒƒ Approach to business
ƒƒ Organisation business continuity its business continuity management impact analysis
strategies and its recovery plans system, and create a process ƒƒ Risk assessment methodology
ƒƒ Objectives and importance of that allows employees and others ƒƒ Business continuity strategy
integrated test and exercise working on its behalf to make ƒƒ Business continuity plan / plans
ƒƒ Importance of conformity with suggestions for improving the ƒƒ Approach for its tests / exercises
the procedures and requirements of system. If an organization decides and their plans
the organisation’s business continuity to provide information about its ƒƒ Documents and records as
management system business continuity policy to external required by ISO 22301
ƒƒ How their activities contribute to audiences, it should establish and ƒƒ Any other documents determined
the achievement of the organisation’s implement an appropriate method to to be necessary for the effective
business continuity goals manage this communication. management the system

6 ISO 22301 | TÜV SÜD

Document control – In addition to the
above documentation requirements,
an organisation must also establish
and maintain suitable processes and
procedures to approve documents
for use, to periodically review and
update documents as necessary, and
to ensure that relevant versions of
applicable documents are available to
those who need them.
Operational control – A key aspect
of the implementation and operation
phase is the organizing and managing
them (implementation and operation)
in a manner consistent with an
organisation’s business continuity
policy, objectives, targets and action
plans. This includes establishing the risk
assessment methodology and criteria
to assess business impact on service
disruption. Documented processes
and procedures needed to meet
requirements and to implement action
plans determined shall be developed.  to organisation’s risk appetite.
The approach typically consist of a
number of discrete stages together
aimed at achieving a comprehensive
and viable business continuity plan
that will fully meet the requirements of
organisation in the event of a disruption:
TÜV SÜD | ISO 22301
a) Perform Business Impact Analysis d) Business continuity strategy
(BIA) formulation
This activity enables an organization After requirements (business recovery
to analyse the potential impact of priorities and timescales) have been
a disruption, identify the critical established through the BIA and the
processes / business functions RA, strategies can be developed
that support its key products and to identify arrangements that will
services, the interdependencies enable the organization to protect
between processes and the resources and recover critical activities based
required to operate the processes at a on organizational risk tolerance
minimally-acceptable level. and within defined recovery time
priorities and timescales. Resource
b) Perform Risk Assessment (RA) requirements (people; information and
The goal of this requirement is to data; building, work environment and
establish, implement, and maintain a associate utilities; facilities, equipment
formal documented risk assessment and consumable; information and
process that systematically identifies, communication technology (ICT)
analyzes, and evaluates the threat / systems; transportation; finance;
risk of disruptive events / incidents partners and suppliers) to implement
to the organization. Organisation the selected strategies is also
will also evaluate which threat / risks determined and established. All in
events required treatment, identify the all, the business continuity strategy
treatments commensurate with business should be an integral component of an
continuity objectives and in accordance institution’s corporate strategy.
e) Develop business continuity plan
c) Establishing business recovery and procedures
priorities, timescales and requirements At this stage, organization shall
The result from both BIA and RA allows develop, document, implement and
organization to determine its recovery maintain the business continuity
priority and recovery timescales. procedures to manage and response to
7
disruptive events / incidents and how
it continue or recover activities within
a predetermined timeframe based on
recovery objectives identified during
the BIA and RA phase. According to
ISO 22301:2012, the procedures shall :
ƒƒ Establish an appropriate internal and
external communications protocol;
ƒƒ Be specific regarding the immediate
steps that are to be taken during
a disruption;
ƒƒ Be flexible to respond to
unanticipated threats and changing
internal and external conditions;
ƒƒ Focus on the impact of events that
could potentially disrupt operations;
ƒƒ Be developed based on stated
assumptions and an analysis of
interdependencies; and;
Approach to business continuity planning
Conduct of Business Impact
Analysis Review,
Assessment of Risks, then
based on these results –
Establishment of Business
Recovery Priorities,
Timescales & Requirements
Business Continuity
Strategy Formulation
Business Continuity
Plan Production
Testing of Business
Continuity Plan
Ongoing Maintenance
8 ISO 22301 | TÜV SÜD
ƒƒ Be effective in minimizing strategies are capable of providing
consequences through implementation the recovery within the timeframes
of appropriate mitigation strategies expected / set, which becomes the
benchmark for further improvement.
f) Plan and execute business continuity
plan testing g) Ongoing business continuity
As business continuity procedures plan maintenance
is not something we execute on a The business continuity procedures
daily basis like our daily operations and plans like all organization’s
procedures, identifying potential gaps, processes and procedures will
blind spots or issues embedded within undergo review, updates, changes
the procedures post a challenge. and continual improvement. Gaps
Exercising and testing in this case, and issues identified during exercise
plays an important role of the entire and testing, various review (e.g.
implementation. To ensure that management review and internal
business continuity procedures are audits) and feedback channels,
consistent with its business continuity external and internal organizational
objectives, an organization will have changes; planned regular impact and
to test them regularly. Exercising risk review are some of the means
and testing are the processes of organization can make use of to gather
validating business continuity plans inputs for improvement.
and procedures to ensure the selected
Impact, priorities, timescales
for recovery and minimum
requirements
Options for meeting priorities,
timescales and minimum Security
requirements, and Risk controls
recommendations Reduction incl. for
resilience
Plans(s), organisation,
responsibilities, logistics,
detailed action tasklist
Test strategy and test plans,
testing and evidence
Ongoing maintenance activity
C. Checking
Continuous checking of the key Evaluation of compliance with
characteristics of an organisation’s legal and other requirements – An
risks and impact, business continuity organisation shall periodically
capabilities and its achievement of evaluate its compliance with
objectives, targets and action plans is legal requirements and any other
an essential element of the process, applicable standards and guidelines
ensuring that implementation activities in relation to the requirements of its
are producing the desired results implemented business continuity
and achieving the anticipated risks management system.
efficiencies. The checking phase
includes the following activities: Internal audit of the business
continuity management system – At
Monitoring, measurement and planned intervals, an organisation
analysis – This aspect of the checking shall conduct internal audits of the
phase includes the monitoring, business continuity management
measurement and analysis of the system to ensure that the system
following specific areas : conforms with the business continuity
objectives and targets that have
ƒƒ Determining and implementing
ƒƒ Exercise and testing result been established, and that the
appropriate corrective or preventive
ƒƒ Post-incident reporting implementation and maintenance of
actions
ƒƒ Ever change threats / risks the system is producing anticipated
ƒƒ Reviewing the effectiveness of
and their impacts capabilities and improvements.
corrective or preventative actions
ƒƒ Effect The results of these audits shall be
ƒƒ Maintaining records of all corrective
ƒƒ Effectiveness of business continuity documented and reported to the
actions
procedures and plans created to organisation’s management.
achieve the defined business An organisation shall also make any
continuity objectives and targets Corrective actions – An changes necessary to its business
organisation should be prepared to continuity management system to
The results from the monitoring and take correction actions as necessary prevent the future occurrence of
measuring of these key characteristics to address any non-conformities nonconformities.
must be documented, and the with the planned operation of the
organization must investigate and organisation’s business continuity Record control – The final aspect
respond to significant gaps identified. management system. Specific actions of the checking phase involves
In addition, an organisation must should include: the maintenance of records and
ensure that scenarios used in other documentation necessary
exercises to test key characteristics ƒƒ Reviewing actual or potential to demonstrate the organisation’s
of the business continuity procedures nonconformities ongoing compliance with the
and plans are realistic. Post mortem of ƒƒ Identifying the causes of requirements of its business continuity
every each and every exercise should nonconformities management system as well as those
be conducted and documented. Finally, ƒƒ Evaluating the need for action to of ISO 22301. Controls shall also
an organisation must periodically prevent further recurrence include provisions for record retention
review its measurement needs. and retrieval.

TÜV SÜD | ISO 22301 9

D. Management review
In the management review phase, an ƒƒ Opportunities for improvement ƒƒ To review lesson learnt and actions
organisation takes an objective look ƒƒ A review of the results of internal arising from disruptive events
at the overall effort from a strategic audits (including that of key suppliers ƒƒ Any emerging good practice and
point of view. The review phase also and partners) guidance that may have been identified
typically includes a briefing for senior ƒƒ An evaluation of the technique,
management on the progress and the products or procedures, which The management review itself will
results of the targets and action plans, could be used in the organization typically result in decisions or actions
and the overall effectiveness of the to improve the business continuity related to continual improvement
organisation’s business continuity management system’s performance opportunities and changes in the
management system (BCMS). and effectiveness following areas:
ƒƒ Status of corrective actions initiated
In preparing for the management ƒƒ A review on the results of exercising ƒƒ Organization business
review, an organisation shall consider and testing continuity policy
and evaluate all of the following ƒƒ An evaluation of risks or issues not ƒƒ Objectives, targets and other
performance considerations in adequately addressed in any previous element if the organization’ BCMS
connection with its BCMS : risk assessment ƒƒ Update of risk assessment, business
ƒƒ To review if any changes (both impact analysis, risk treatment plans,
ƒƒ Follow-up actions from any prior internal and external to the scope procedures and control to respond to
management reviews of certification) that could affect disruptive events
ƒƒ A review of the adequacy of organization BCMS ƒƒ Allocation of resources to
organisation’s business continuity’s ƒƒ Additional recommendations for manage business continuity activities
policy and if there is a need to change improvement
both its policy and objectives

10 ISO 22301 | TÜV SÜD

Conclusion
Being prepared by having an effective
business continuity management
system and recovery strategy is an
increasingly important aspect of
organisational performance. ISO 22301
provides a clearly defined roadmap for
organisations seeking to implement
and maintain a business continuity
management system that can help
organization to be prepared and ready
to handle business disruptions such
that they could quickly and effective
recover critical business operations
minimizing the impact on its services
to customers. The structure of ISO
22301 is also consistent with that of
TÜV SÜD | ISO 22301
other management systems, such In addition to the certification of
as ISO 9001, ISO 27001 and ISO business continuity management
20000-1, allowing organisations to systems to ISO 22301, TÜV SÜD
leverage their existing investments in offers a range of business continuity,
management system compliance. information security and risk related
audits and certifications, including
TÜV SÜD is an internationally ISO 27001, SS 584 (Muti-Tier Cloud
recognised testing, inspection and Security) SS 507 (Business Continuity
certification organisation, with hundreds and Disaster Recover Standard for
of technical experts in more than Service Providers) and ISO 31000, as
30 countries around the world. This well as training services in Personal
extensive network makes TÜV SÜD an Data Protection Act, ISO 20000-1 and
effective single source for organisations all the above mentioned standards and
seeking expertise in the certification guidelines.
and auditing of business continuity
management systems of all types.
11
GLOSSARY OF ACRONYMS
BCMS – Business Continuity Management Systems
RA – Risk Assessment
BIA – Business Impact Analysis
ICT – Information and Communication Technology

COPYRIGHT NOTICE
The information contained in this document represents the current view of TÜV SÜD on the issues discussed as of the date of publication. Because TÜV SÜD must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of TÜV SÜD, and TÜV SÜD cannot guarantee the accuracy of any information presented after the date of publication. This
White Paper is for informational purposes only. TÜV SÜD makes no warranties, express, implied or statutory, as to the information in this document. Complying with all applicable copyright laws
is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of TÜV SÜD. TÜV SÜD may have patents, patent
applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from TÜV SÜD,
the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ANY REPRODUCTION, ADAPTATION OR TRANSLATION OF
THIS DOCUMENT WITHOUT PRIOR WRITTEN PERMISSION IS PROHIBITED, EXCEPT AS ALLOWED UNDER THE COPYRIGHT LAWS. © TÜV SÜD Group – 2016 – All rights reserved - TÜV SÜD is a
registered trademark of TÜV SÜD Group.

DISCLAIMER
All reasonable measures have been taken to ensure the quality, reliability, and accuracy of the information in the content. However, TÜV SÜD is not responsible for the third-party content
contained in this newsletter. TÜV SÜD makes no warranties or representations, expressed or implied, as to the accuracy or completeness of information contained in this newsletter. This
newsletter is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). Accordingly, the information in this newsletter is not
intended to constitute consulting or professional advice or services. If you are seeking advice on any matters relating to information in this newsletter, you should – where appropriate – contact us
directly with your specific query or seek advice from qualified professional people. The information contained in this newsletter may not be copied, quoted, or referred to in any other publication or
materials without the prior written consent of TÜV SÜD. All rights reserved © 2013 TÜV SÜD.

12 ISO 22301 | TÜV SÜD

Keep businesses operational
during and following a disruption
www.tuv-sud-psb.sg/sg-en/activity/auditing-system-certification
auditing@tuv-sud-psb.sg

Choose certainty. Add value.

TÜV SÜD is a premium quality, safety and sustainability solutions provider that specialises in testing, inspection, auditing,
certification, training and knowledge services. Represented in over 800 locations worldwide, we hold accreditations in
Europe, the Americas, the Middle East and Asia. By delivering objective service solutions to our customers, we add tangible
value to business, consumers and the environment.

Our ASEAN offices

SINGAPORE CAMBODIA INDONESIA MALAYSIA
TÜV SÜD PSB Pte Ltd TÜV SÜD Cambodia TÜV SÜD Indonesia TÜV SÜD Malaysia
Tel: +65 6778 7777 Tel: +855 23 500 25 25 Tel: +62 21 2986 5795/96 Tel: +60 3 5103 8128
2016 © TÜV SÜD PSB Pte Ltd | PSB-MKG/XX/X.0/en/SG

Email: enquiries@tuv-sud-psb.sg Email: enquiries@tuv-sud-psb.sg Email: enquiries@tuv-sud.co.id Email: enquiries@tuv-sud.my

www.tuv-sud-psb.sg www.tuv-sud-psb.sg www.tuv-sud.co.id www.tuv-sud.my

PHILIPPINES THAILAND VIETNAM

TÜV SÜD PSB Philippines TÜV SÜD Thailand TÜV SÜD Vietnam
Tel: +63 2 687 5673 Tel: +66 2 564 8041 Tel: +84 08 6267 8507
Email: enquiries@tuv-sud-psb.ph Email: enquiries@tuv-sud.co.th Email: enquiries@tuv-sud.vn
www.tuv-sud-psb.ph www.tuv-sud.co.th www.tuv-sud.vn

13 ISO 22301 | TÜV SÜD