Business Continuity Management Systems: Implementation and Certification to ISO 22301

Business Continuity Management Systems: Implementation and Certification to ISO 22301

by Hilary Estall


View All Available Formats & Editions
Members save with free shipping everyday! 
See details


This practical guide is written for organisations who are implementing a business continuity management system and certification in line with ISO 22301. The development of a BCMS requires commitment, time, resourcefulness and management support. This book will fully equip those new to business continuity management or to management systems with survival skills for the ups and downs of the journey. Enriched with checklists, worksheets and invaluable top tips.

Product Details

ISBN-13: 9781780171463
Publisher: BCS Learning & Development Limited
Publication date: 09/28/2012
Pages: 128
Product dimensions: 6.75(w) x 9.62(h) x (d)

About the Author

Hilary Estall has lengthy practical experience in auditing and implementing management systems. She is currently the only IRCA-registered BCMS Lead Auditor in the UK and has 'Specialist' membership status with the Business Continuity Institute (BCI). Hilary runs her own business continuity consultancy company Perpetual Solutions Limited.

Read an Excerpt




Implementing a business continuity management system (BCMS) requires commitment, time, resourcefulness and plenty of support from your management team. Whatever the drivers behind the journey you are about to embark on, you need to be well equipped to survive the ups and downs that will occur along the way. If you can answer 'yes' to any of the following statements, this book is written with you in mind and will provide you with practical and straight forward advice:

• Your organisation is seeking formal certification to ISO 22301.

• Your organisation is seeking alignment to ISO 22301.

• Your organisation is considering whether to become certified and wishes to understand what is involved before committing resource.

• Your organisation is working towards, or has already achieved, certification to BS 25999-2 and wishes to understand what is involved in moving from one standard to another.

• You wish to develop your own understanding of what is required to implement an effective BCMS.

• You are looking for a practical support mechanism to guide you through the implementation stages of your BCMS.

The need for this handbook became clear to me during my own personal journey through BCMSs. Auditing numerous BS 25999 management systems has shown me time and time again that there are three independent factions:

(1) Those who are existing BC professionals and are implementing a management system for the first time.

(2) Those who already have experience with implementing other management systems, but are new to BCM.

(3) Those who have no prior experience in either aspect.

I concluded that missing from the raft of technical publications already available is a practical guide that bridges the two subject areas and helps manage expectations along the way.

To emphasise the importance of particular BCMS requirements you will notice a degree of repetition in the book. This is intentional and will hopefully reinforce the messages!


Management systems, if not implemented properly, can be seen as the proverbial millstone around an organisation's neck. This book aims to focus on what is significant about management systems and how best to achieve intended results. By concentrating on what is most important, the organisation will enjoy the benefits of a management system which has been developed to meet its specific needs.


This handbook is not aimed at providing you with detailed instructions on how to implement BCM. There are several publications that will offer you advice, for example, on how to undertake a business impact analysis, carry out a risk assessment or write a BC plan and you should refer to those if you are seeking that level of support.


The aim of this handbook is that it becomes your BCMS best friend! It is a tool that should be used when required rather than read from cover to cover and then set aside.

It is set out in four parts. Two focus on management systems themselves and the certification process, and the remaining two look at BCM and the requirements of ISO 22301, translating them into user friendly guidance notes.

Checklists are available for you to self assess your progress with a particular requirement, and action sheets are included to encourage you to develop your BCMS as you progress through the handbook. Do not be afraid to write in the space provided. As you read, thoughts will come into your head. These initial thoughts will often prove to be the most important and you should capture them before they are lost. Additional action sheets have been provided to you at the end of the book if you need them.

You will find 'Top Tips' throughout the book, which may prove useful to you during your BCMS journey. These tips have been gathered from my own experience and individuals who have been involved in the audit process in some way. My thanks to all those who have contributed their great ideas. You know who you are!

I wish you well with your journey into business continuity management systems and hope this handbook provides the support and guidance that you are looking for in order to achieve your BCMS objectives.




The purpose of this chapter of the handbook is to explain what a management system is and its key components. We will look at how management systems have developed over time as well as consider planned developments for the future. You will learn that there are core requirements for every management system, including BCMSs.

The objective is to provide guidance and support to both those looking to implement a BCMS for the first time and those who wish to take this opportunity to review their existing system and consider how it may be improved.


For the purposes of this chapter of the handbook, and the broader consideration of what makes up a management system, the definitions provided in ISO 22301:2012 apply unless otherwise stated.

Competence: ability to apply knowledge and skills to achieve intended results

Continual Improvement: recurring activity to enhance performance (Source: ISO 22300)

Corrective Action: action to eliminate the cause of a nonconformity and to prevent recurrence (Source: ISO 22300)

Document: information and its supporting medium

Effectiveness: extent to which planned activities are realised and planned results achieved (Source: ISO 22300)

Internal Audit: audit conducted by, or on behalf of, the organisation itself for management review and other internal purposes, and which might form the basis for an organisation's self declaration of conformity

Management System: set of interrelated or interacting elements of an organisation to establish policies and objectives, and processes to achieve those objectives

Nonconformity: non-fulfilment of a requirement (Source: ISO 22300)

Policy: intentions and direction of an organisation as formally expressed by its top management

Procedure: specified way to carry out an activity or a process (Source: ISO 9000:2005)

Record: statement of results achieved or evidence of activities performed

Top Management: person or group of people who directs and controls an organisation at the highest level


In order to put management systems into context, we start with a brief look at how these systems came about. We will then take a more detailed look at the core requirements of a management system and provide you with a practical insight into the areas that require particular consideration. Everything written in this chapter is relevant to business continuity management systems and should be considered as part of your BCMS implementation programme.


Even if you have never been involved with management systems before, you have probably heard of BS 5750 or ISO 9001. BS 5750 was one of the first widely recognised quality management systems, introduced in 1979 and the forerunner to the better known and internationally applied ISO 9000 series of standards. The aim of these standards was to help organisations introduce consistent methods of delivering products and services in ways which would increase quality, accuracy and efficiency. It was later generally recognised to increase an organisation's competitive edge.

Management principles

When the ISO 9000 standards were introduced, eight quality management principles were identified, which, when applied by top management, were perceived to help an organisation improve its performance.

1. Customer focus

Organisations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.

2. Leadership

Leaders establish unity of purpose and direction of the organisation. They should create and maintain the internal environment in which people can become fully involved in achieving the organisation's objectives.

3. Involvement of people

People at all levels are the essence of an organisation and their full involvement enables their abilities to be used for the organisation's benefit.

4. Process approach

A desired result is achieved more efficiently when activities and related resources are managed as a process.

5. System approach to management

Identifying, understanding and managing interrelated processes as a system contributes to the organisations effectiveness and efficiency in achieving its objectives.

6. Continual improvement

Continual improvement of the organisation's overall performance should be a permanent objective of the organisation.

7. Factual approach to decision making

Effective decisions are based on the analysis of data and information.

8. Mutually beneficial supplier relationships An organisation and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value.

(Source: BS EN ISO 9000:2005).

No doubt you will recognise at least some of these principles from reading documents, standards and specifications on the subject of BC, risk management and other related subjects. The ISO 22301 standard, Societal Security – Business Continuity Management System – Requirements, has been developed along the same lines, although some of the terminology may look different.

As mentioned above, and linked to the eight management principles, there are some common management system requirements. They are:

• The organisation shall document the scope of the management system and the management system standards/specifications to which it subscribes.

• The organisation shall establish, document, implement, maintain and continually improve the management system in accordance with the requirements of the management system standards/specifications to which it subscribes.

• In order to meet its declared policies and objectives, the organisation shall:

* identify the processes needed for the implementation, operation and maintenance of the management system, and their application throughout the organisation;

* determine the sequence and interaction of these processes and the applicability for integration of these processes;

* determine criteria and methods needed to ensure that both the operation and control of these processes are effective;

* ensure the availability of resources and information necessary to support the operation and monitoring of these processes;

* monitor, measure and analyse these processes, and implement actions necessary to achieve planned results and continual improvement of the organisation's overall performance.

(Source: PAS 99:2006).

How management systems have evolved

Over the years, these principles and requirements have continued to evolve. Where BS 5750 was concerned with compliance, over time, and through the ISO 9001 version updates, this has been superseded with a more cohesive approach towards continual improvement and the overall effectiveness of the management system. Conformance is no longer seen as enough; added value from a management system is now required by its users.

At the time this book went to print, a specially convened ISO Committee was looking at how management systems may be better aligned in order for the high level structure and common requirements to be systematically applied to future management system standards. This will assist organisations which have, or are looking to, introduce more than one management system as well as encourage a more standardised approach to implementing different management systems generally.

Two part management systems

Management systems invariably come in two parts;

(1) Structural requirements

(2) Technical requirements specific to individual standards.

In this section we will turn our attention specifically to BCMSs.

Business Continuity Management (BCM): holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities.

Business Continuity Management Systems (BCMS): part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity.

In my experience, disproportionate levels of attention are often placed on these two aspects of BCMS requirements, and which comes through as the stronger element will depend on who has been given responsibility for implementing the system and their professional background. Where possible, a team approach should be considered, in order to draw upon different areas of knowledge.


When implementing a BCMS, management system requirements and BCM requirements are equally important. Do not assume otherwise and lose sight of one of these two aspects of your BCMS. You are unlikely to achieve certification unless both elements are fully implemented and effective.

Keeping your management system 'local'

Whilst international standards are written by committees comprising several member countries, you should never lose sight of the fact that your management system must reflect the needs of your organisation. The requirements are written in such a way to be applicable across companies of different sizes, whether based in a single country or multiple countries across the globe. However, for those readers who work in a multinational organisation, you will know that cultural differences exist and need to be respected. It is very important that these local practices and expectations are managed with consideration, and for procedures to reflect these regional variations. This extends to your management system and how you set about demonstrating local application. Remember, if you are to be audited by an external company, it is their responsibility to understand where cultural differences may exist and tailor their expectations accordingly.


Find an approach which works well with your organisation's culture whilst also complying with the requirements of the standard. In other words, make your BCMS fit around your business and not the other way round.


To help support your organisation's decision to implement a BCMS, create a summary of the benefits of adopting ISO 22301 in order to help focus peoples' minds and management commitment.


As with all management systems, BCMSs follow a recognised and methodical approach to improving processes. It is known as the PDCA model and, through a series of actions, encourages the continual improvement of the processes captured within the scope of the system. The PDCA model is often depicted at the start of the management system standard and ISO 22301 is no exception. Figure 2.1 illustrates how the PDCA model is applied to BCMS processes and Table 2.1 provides explanatory notes for each of the PDCA elements.


Building on the eight management principals and common elements of management systems, there are mandatory requirements across all management system standards.

• Determining the scope of the management system;

• Top management responsibilities with respect to the management system;

• Management system documentation;

• Improvement;

• Writing policies and setting objectives;

• Allocation of suitable resources and determining competencies;

• Evaluation of the performance and effectiveness of the management system;

• Internal Audit;

• Management Review;

• Nonconformity and Corrective Action Review.

We will now look at each of these requirements in detail. All are relevant to BCMSs.


It stands to reason that until you have 'scoped' your management system, you cannot reasonably build it. In other words, until you have decided what will be included, and possibly excluded, you are not in a position to develop its core components.


Excerpted from "Business Continuity Management Systems"
by .
Copyright © 2012 Hilary Estall.
Excerpted by permission of BCS The Chartered Institute for IT.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Table of Contents

List of figures and tables

Customer Reviews