Getting Ready for ISO 22301:2012 Certification, Part 1

Our two-part blog series Getting Ready for ISO 22301 Certification will give you a comprehensive overview on how to prepare for third-party certification to this international management standard. Part one will focus on required general steps to implement a compliant business continuity management system. It will explain what is needed to fully understand the steps needed to plan, build, deploy and internally audit your business continuity management system.

Part two will provide a deeper dive into what the typical internal challenges are and the suggested solutions to address them.

Background: ISO 22301:2012 was published by ISO in 2012 as a harmonized standard with multiple inputs from national standards bodies, industry and academia. This is the world’s first ISO standard focused on business continuity. This complements the disciplines noted in ISO 27031  for IT disaster recovery.

Outlined below are 15 key steps to take to prepare for your certification audit.

1. Obtain senior management support and commitment to the program and certification goal. Appoint a Champion empowered to provide the required resources.
2. Identify interested parties (internal, external, government and community members) and their unique requirements.
3. Define business continuity program objectives, scope, and policy and exclusions (if any).
4. Define management framework, including three mandated procedures: document control, internal audit, and corrective action. Adopt the Plan, Do, Check, Act Model (Common to all ISO Management Standards)
5. Conduct risk assessments, apply risk treatments and update methodologies as needed.
6. Define recovery time objectives and recovery point objectives.
7. Define resources and align with your business continuity management strategy.
8. Define response and recovery actions via data centric recovery plans.
9. Implement training and awareness program throughout your organization and extend to your supply chain as identified as part of the risk assessment.
10. Exercise and test your program activities using independent staff, enabling impartiality.
11. Learn from each event in testing and benchmark experiences of multiple functions.
12. Communicate the necessary information in a consumable format. Test knowledge regularly via interviews, tests and exams as appropriate.
13. Measure and evaluate against the initially set Resiliency program objectives
14. Conduct an internal audit and maintain records demonstrating compliance.
15. Make improvements based on the information found from the steps above and include top management to review processes and drive change. Continue the PDCA cycle as noted in 4.

The 4 step certification process, includes:

1. Design, develop and implement system (15 steps)
2. Interview and select accredited* registrar. Obtain references and interview lead auditor if possible. Check for ‘chemistry’, if in doubt do not engage. Remember registrars must be impartial however much provide value throughout the assessment process.
3. Conduct stage 1 (remote) and stage 2 (onsite) audits. Close correction action requests fully and promptly ensuring both compliance and effectiveness of remedy is demonstrated.
4. Obtain certification, celebrate, and prepare for first surveillance audit

*Accreditation from UKAS, ANAB, or equivalent

Throughout this process you’ll learn how to engrain the business continuity discipline across your enterprise. Achieving ISO 22301 Certification puts you within unique group of companies committed business resilience. It not only allows you to obtain a better understanding of your organization, but also implement a business continuity strategy with proper response tactics. Ultimately, you will be able to better drive alignment of resilience capabilities in parallel with key management initiatives to drive continual improvement. In part two of this series we’ll break it down further and discuss challenges and solutions during the process.