ISO 22301 Approach Note © Continuity and Resilience

Approach Note

Daman Dev Sood, CIO & Head

Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,

Assessment and Certification in various

Management (BCM).

This approach note is targeted at organisations in the following three categories:

• Those who have not started their BCM journey yet

• Those who want to implement a solid BCMS based on ISO 22301

• Those who want to migrate their existing BCMS (based on BS 25999

to ISO 22301 based global good practices

Such organisations may be in any country, of any size and complexity, and from any industry sector.

ISO 22301:2012

By name, ISO 22301 is called Social Security

Requirements.

ISO 22301 was released on 15th

May this year.

shows how this has evolved from BS 25999 and other standards.

ISO 22301 Approach Note © Continuity and Resilience

Approach Note – ISO 22301 Implementation

Daman Dev Sood, CIO & Head – Sustainability Practice,

Continuity and Resilience

Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,

various management fields with prime focus on Business Continuity

This approach note is targeted at organisations in the following three categories:

Those who have not started their BCM journey yet

Those who want to implement a solid BCMS based on ISO 22301

Those who want to migrate their existing BCMS (based on BS 25999 or any other standard)

to ISO 22301 based global good practices

Such organisations may be in any country, of any size and complexity, and from any industry sector.

By name, ISO 22301 is called Social Security – Business Continuity Management Systems

May this year. This is an auditable and certifiable standard.

shows how this has evolved from BS 25999 and other standards.

Figure 1: Evolution of ISO 22301

Page 1

22301 Implementation

Continuity and Resilience (CORE) is a boutique consulting firm engaged in Consulting, Training,

fields with prime focus on Business Continuity

This approach note is targeted at organisations in the following three categories:

or any other standard)

Such organisations may be in any country, of any size and complexity, and from any industry sector.

Management Systems –

This is an auditable and certifiable standard. Figure 1

ISO 22301 Approach Note © Continuity and Resilience

The importance of ISO 22301 lies in the fact that

The fact is that

• Organisations today do not operate in

• They operate within the context of society

• Delivery of their products and services has ramifi

ISO 22300 is a suite of related standards, ISO

The Guidance, which is expected to be out by the end of this year.

Purpose of ISO 22301

This international standard for business continuity management specifies requirements to

plan, establish, implement, operate, monitor, review, maintain and continually improve a

documented management system to

protect against, reduce the likelihood of occurrence, prepare for, respond

disruptive incidents when they arise.

Figure 2 shows how PDCA cycle has been implemented in ISO 22301.

ISO 22301 Approach Note © Continuity and Resilience

The importance of ISO 22301 lies in the fact that it’s more than BCM –it’s about Societal Security.

Organisations today do not operate in vacuum

They operate within the context of society

Delivery of their products and services has ramifications far beyond their four walls

standards, ISO 22301 is one of those. The next closest is ISO 22313

The Guidance, which is expected to be out by the end of this year.

or business continuity management specifies requirements to

plan, establish, implement, operate, monitor, review, maintain and continually improve a

documented management system to

protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from

disruptive incidents when they arise.

Figure 2 shows how PDCA cycle has been implemented in ISO 22301.

Figure 2: PDCA cycle in ISO 22301

Page 2

about Societal Security.

cations far beyond their four walls

22301 is one of those. The next closest is ISO 22313 –

or business continuity management specifies requirements to

plan, establish, implement, operate, monitor, review, maintain and continually improve a

to, and recover from

ISO 22301 Approach Note © Continuity and Resilience

BS25999 v/s ISO 22301

Figure 3 shows a quick (not comprehensive) comparison of the two

The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years

has been exploited by CORE in our approach to ISO 22301 Implementation.

Approach1: for those who have not

This is a fresh journey with four clear steps as depicted in Figure 4.

Figure 4: First implementation of BCMS

Improve

ISO 22301 Approach Note © Continuity and Resilience

Figure 3 shows a quick (not comprehensive) comparison of the two standards.

Figure 3: BS 25999 v/s ISO 22301

The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years

has been exploited by CORE in our approach to ISO 22301 Implementation.

Approach1: for those who have not started their BCM journey yet

This is a fresh journey with four clear steps as depicted in Figure 4.

Figure 4: First implementation of BCMS

Understand

Prepare

(basic trainings)

Implement

Establish

(advanced trainings, audits,

managementreviews)

Improve

Page 3

The fact that ISO22301 has evolved through BS 25999 and other standards and usage of over 5 years

ISO 22301 Approach Note © Continuity and Resilience Page 4

Basic trainings here will include BCM Concepts, Conducting BIA and RA etc.

Advanced trainings here will include Internal Auditing of the BCMS.

There will not be focus on any particular standard.

Approach2: for those who want to implement a solid BCMS based on ISO 22301

It is assumed that such organisations have some elements of Business Continuity/ Disaster

Recovery/ Crisis Management in place. Figure 5 depicts the five steps approach to such

implementations.

Figure 5: Enhancing existing arrangements via ISO 22301

Understand

Assess the Gaps

Prepare

(basic trainings)

Implement

Establish

(advanced trainings, audits, management

reviews)

Improve

ISO 22301 Approach Note © Continuity and Resilience

The first step will be to assess the gaps with respect to existing arrangements and ISO 22301

requirements.

Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well

understood).

Implementation is expected to be smoother

Advanced trainings will revolve around I

22301 etc.

Once an organisation achieves this, it may like to have the next step of certification to ISO 22301.

Figure 6 shows the benefits of certification to a standard.

Figure 6: Benefits of cert

ISO 22301 Approach Note © Continuity and Resilience

The first step will be to assess the gaps with respect to existing arrangements and ISO 22301

Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well

is expected to be smoother – just bridging the gaps identified in first step.

Advanced trainings will revolve around ISO 22301 e.g. auditing ISO 22301, BCM Specialist on ISO

ves this, it may like to have the next step of certification to ISO 22301.

Figure 6 shows the benefits of certification to a standard.

Figure 6: Benefits of certification to a standard

Page 5

The first step will be to assess the gaps with respect to existing arrangements and ISO 22301

Basic trainings will include Fundamentals of ISO 22301 (assuming BCM concepts are already well

just bridging the gaps identified in first step.

SO 22301 e.g. auditing ISO 22301, BCM Specialist on ISO

ves this, it may like to have the next step of certification to ISO 22301.

ISO 22301 Approach Note © Continuity and Resilience Page 6

CORE has the capabilities of helping organisations in this aspect also – our services include

identification and recommendation of a certifying agency, pre/mock audits, practice interviews and

practice MR reviews etc.

Approach3: for those who want to migrate their existing BCMS (based on BS 25999 or any other

standard) to ISO 22301 based global good practices

CORE has developed fairly deep and smooth process for this migration challenge, as shown in Figure

7.

Figure 7: Migration to ISO 22301

CORE recommends few additional trainings like CBCI certification, Lead Implementer of ISO 22301

and Lead Auditor of ISO 22301 etc. Our services in the field of hand-holding for certification (benefits

elaborated earlier) will be available to organisations in this category also.

Gap assessment

Bridging the gaps

Updation of templates

Updation of training material

Training

Internal Audit

Exercise

Management review

ISO 22301 Approach Note © Continuity and Resilience

CORE's full basket of ISO 22301 suit of products is shown in Figure 8.

Figure 8: CORE’s ISO 22301 Suit of Products

About the author: Daman is CIO & Head

holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he

worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A

member of BCI (MBCI), Daman was the BC Manager of The

Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various

working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert

and Assessor with BSI. Daman is an ISO 22301 Expert.

For any of your requirements in the field of BCMS implementation

migration to ISO 22301, please write to us at

ISO 22301 Approach Note © Continuity and Resilience

full basket of ISO 22301 suit of products is shown in Figure 8.

Figure 8: CORE’s ISO 22301 Suit of Products

: Daman is CIO & Head – Sustainability Practice at Continuity and Resilience

holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he

worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A

member of BCI (MBCI), Daman was the BC Manager of The Year Award India winner in 2009 and BC

Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various

working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert

n is an ISO 22301 Expert.

For any of your requirements in the field of BCMS implementation, or ISO 22301 implementation

migration to ISO 22301, please write to us at info@continuityandresilience.com

Fundamentals (1 day)

Crash Course on Migration (1 day)

Internal Auditor (2 days)

BCM Specialist (3 days)

Lead Auditor (3 days)

Lead Implementer (5 days)

Page 7

Continuity and Resilience. He

holds over 27 years global experience of being a practitioner, trainer and consultant. Earlier, he

worked with Xansa/Steria as Global BC Manager and with TCS in various roles and capacities. A

India winner in 2009 and BC

Industry Personality of The Year Award finalist in 2011. He works closely with the BCI in various

working groups. Daman has spoken at over 300 conferences across globe. He is a Technical Expert

ISO 22301 implementation, or