ISO 22301 Clauses

ISO 22301 has ten main clauses or sections. The first three are introductory ones; they give you an overview of the scope of this ISO standard and how you can implement it. These three clauses are informational and not mandatory for implementation. The remaining seven clauses of ISO 22301 are crucial and must be implemented strictly to get the certification.

The ISO 22301 clauses are well-defined and meant to help you develop a Business Continuity Management System (BCMS) that can ensure an uninterrupted business operation irrespective of internal and external circumstances. They are relatively standard; they remain the same for all businesses regardless of their size, nature, and geographical location. They do not even vary for non-profit organizations.

The ISO 22301 clauses are:

Introduction
Clause 1: Scope
Clause 2: Normative References
Clause 3: Terms & Definitions

Requirements
Clause 4: Context of the Organization | PLAN
Clause 5: Leadership | PLAN
Clause 6: Planning | PLAN
Clause 7: Support | PLAN
Clause 8: Operations | DO
Clause: 9 Performance Evaluation | CHECK
Clause 10: Improvement | ACT

ISO 22301 Clauses 1 to 3- The introductory clauses

These three clauses provide all the background information you may need to understand the remaining seven clauses and figure out how to implement them. As mentioned above, they are just introductory sections and don’t have much to execute. The basic execution part mentioned in these ISO 22301 clauses is not mandatory.

ISO 22301 clauses 4 to 10- The fundamental clauses

The seven mandatory ISO 22301 clauses are designed per the PDCA methodology, i.e., the ‘PLAN, DO, CHECK, ACT’ system. Dr. W. Edwards Deming, often regarded as the father of modern quality assurance, had developed this 4-step project management tool. The PDCA method is believed to help organizations identify problems, find solutions and test them on a small scale to evaluate their effectiveness. By repeating the PDCA cycle frequently, organizations can find and fix the loopholes in their disaster management plan. They should be able to develop a foolproof BCMS that will help organizations function with minimal interruption, even during the worst crisis. Here is what the seven fundamental ISO 22301 clauses define:

Clause 4: Context of the Organization | PLAN

This clause of ISO 22301 mandates that organizations must understand what they are doing and which of their processes must be sustained to prevent financial and reputational damage. Once this is defined, the organizations must determine the parties or people responsible for ensuring the continuity of the operation. They must document the legal requirements. Finally, this ISO 22301 clause mandates businesses to document the scope of their BCMS and prepare it accordingly.

Clause 5: Leadership | PLAN

This section mandates that the organizations must ensure that the people responsible for designing and executing BCMS are always available and actively engaged in developing, documenting, improving, testing, and implementing the disaster management plan. The roles and responsibilities of the parties or people involved must be clearly defined. And when doing so, the competencies of each individual or team must be thoroughly considered for each role.

Clause 6: Planning | PLAN

Planning is an extremely crucial and lengthy clause of ISO 22301. It states that organizations must document the potential disruptions they could face due to various internal, external, and natural disasters. They must also evaluate the potential risk, financial as well as reputational. Based on these, businesses must craft a highly reliable Business Continuity Management System that can prevent or reduce potential risks.

Clause 7: Support | PLAN

The BCMS of an organization will need numerous resources, which could be workforce, technology, infrastructure (new or modification to the existing one), communication, data and information, competence, etc. This ISO 22301 clause mandates that organizations must arrange these resources. The resources must be competent enough to handle their designated responsibilities. They must be made aware of the BCMS, its importance, and the expectation that the organization has from them. The resources or the person responsible for managing them must communicate freely with the management and inform them about any changes or requirements.

Clause 8: Operations | DO

The ISO 22301 clauses mentioned above are related to the ‘plan’ part of the PDCA methodology. Clause 8 is the ‘Do’ part. When the planning is done, this clause mandates organizations to start executing their BCMS. They must conduct a risk assessment and document the Business Impact Analysis. Based on this report, organizations must develop a business continuity strategy. They must implement the strategy and other business continuity procedures. They must test the continuity procedures periodically and develop improvements if needed.

Clause: 9 Performance Evaluation | CHECK

This ISO 22301 clause states that once the organizations have implemented the BCMS, they must regularly monitor, analyze, and evaluate its efficiency. They must conduct and document regular internal audits to identify the loopholes and areas of improvement. The management must review these audits regularly to ensure the responsible team is always alert and ready.

Clause 10: Improvement | ACT

The last clause of ISO 22301 is based on the ‘Act’ part of the PDCA model. It states that if the organizations find that their BCMS has flaws, they must determine the root causes and take corrective actions. Organizations must do this regularly. All the ‘Plan, Do, Check, and Act’ tasks mandated by ISO 22301 must be done routinely to ensure that your BCMS is foolproof and up-to-date.

Conclusion

The ten clauses of ISO 22301 are designed to guide you in managing, mitigating, and recovering from the risks posed by disruptive events. They are designed to help businesses survive crises. They consist of a framework of policies and procedures that can help companies provide uninterrupted services to their customers irrespective of internal or external disasters. So, even if ISO 22301 is not mandatory in most countries, every organization (small, big, government, private, or non-profit) must go for it.

Get Your ISO 22301 Certification

Online exam. Self-paced. Self-study course materials included.

Learn more