Skip to content

What is ISO 22301 standard?

Business Continuity and IT Disaster Recovery Blog

What is ISO 22301 standard?

Author: Andrea Patricia Sanchez Dominguez

1. Introduction

The Standard ISO 22301 was proposed in 2012 as a new way to implement The Business Contingency Management process regardless of the size, type or location of the organization. However, it is necessary to make a deep analysis of what the standard offers to the organizations and how it is possible to use it. This Article makes a journey through the Standard ISO 22301 providing a complete guide for those who want to implement it but also want to go beyond it. Each clause is described, their importance is stated, activities and methodologies are proposed and explained in order to develop the clause and, finally deliverables are presented as part of the outputs of each clause.

2. ISO 22301 Standard

The standard 22301 is based on the model PDCA. PDCA, also known as Deming Cycle, is the acronym of Plan Do Check Act Analysis Model. This model has its origins in the 1920s. However, it was in the 1950s when Edward Deming made some improvements to the model, and it became what we know today (Gupta, 2006). This model establishes that all the activities in a management process should be divided into Plan, Do, Check and Act categories. As the Business Continuity Management involves different process, this analysis model is suitable for it. The ISO 22301 Standard (ISO 22301:2012) explains the model as follows: Plan: phase related to the definition of the require activities necessary to align their current BCM status with the desired status. Do: phase related to the operation of the BCM processes. Check: phase related to the assessments of the different BCM activities and elements in order to verify their performance. Act: phase related to the implementation of remedies to the nonconformities found during the assessments, follow-up of these actions, and continual enhancement of the system (p.vi).

3. Pre-Implementation of a BCM

Prior to the implementation of a BCM, it is important to achieve some milestones such as the establishment of a BCM structure and the evaluation of the current state of the organization. These two are key points as part of the preparation for the development of a holistic BCM. In addition, in order to avoid waste of time creating everything from scratch, it is vital to check what already exists.

3.1 Evaluation of the BCM current state

The performance of this stage involves the evaluation of what have been done, how it is working, what needs to be improved, and what needs to be implemented. An easy and effective way to address these questions is through interviews with the key members of the organization. The assessment can be performed using as a base the different sections of the standard ISO 22301: Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement (ISO 22301: 2012).

3.2 Definition of the BCM structure

This structure can vary from one organization to another. However, there are some important teams or groups that should be present in every BCM structure. These  teams are going to be related to specific tasks that will be performed before, during or after an incident. These stages are linked. If a team does not perform properly, and on time their tasks all the BCM cycle is going to be affected. The importance of creating a suitable BCM structure lies in the fact that this group of people is aware of how to keep working the BCMS. Without a well-defined structure, the organization won’t be able to handle properly any kind of incident. Generally, a common BCM structure includes the following:
  • Board of Directors: responsible for the decision-making process and approval of policies and other important documentation.
  • Champion: responsible for influencing the board of directors to achieve the different goals of the BCMS and for obtaining the support from the different levels and areas of the organization.
  • Contingency Team: responsible for all the administrative tasks including coordination of activities, development, performance, and improvement of the BCMS.
  • Incident Response Team: responsible for coordinating all the activities that allow the organization to “anticipate, detect, and mitigate the effects of an unexpected event” (Whitman, Mattord, & Green, 2014).
  • Business Continuity Team: responsible for all the activities that let the organization continue operations while other team control the situation (Whitman, Mattord, & Green, 2014).
  • Disaster Recovery Team: responsible for all the activities to recover the core system and other critical applications.
  • Other Organizational Units: involves personnel from different units as Human Resources, Legal, Audit, Risk which also play an important role in the implementation of BCM. Due to the fact that every organization is completely different from each other, the time that they are going to take to implement their BCMS is also going to be different. However, it is possible to estimate how much percentage of time (of the whole project) is expected to be spent in each clause. In order to do that, the following criteria have to be evaluated: size and type of the organization, the complexity of the activities necessary to complete the clause, skills required to develop the activities, the impact of the activities in the organization, and the amount of people involved in the activities.Figure 3.1 shows an approximate percentage distribution of how the time could be divided during the implementation of the whole project. This estimation is based on the criteria previously specified.
Figure 3.1
Percentage distribution of the time in the implementation of the different ISO 22301 clauses. 10% 8% 5% 13% 40% 14% 10% Percentage of time to spend in the development of each clause. To have a better understanding of the results in figure 3.1, the following sections are going to explain the clauses of the standard ISO 22301 (Clause 5 to 11), present the different activities that have to be performed and the deliverables the organization should have at the end of each clause.

3.3 Implementation of a BCM

The guide presented, for the implementation of a BCM, is mainly based on how to implement what is on the standard ISO 22301. However, as was stated previously it also included methodologies, techniques, and information about other frameworks that is not stated on the standard ISO 22301.

3.3.1 Clause 5 – Context of the Organization

To start the planning phase, it is important to have a good understanding of the organization. Wong and Shi (2015) focus on three important components: corporate analysis, threat and resilience assessment, and stakeholder and regulatory analysis.

3.3.1.1 Corporate analysis

It includes the identification of all the information that can give an overall idea of how the organization works. It should take into consideration the mission and vision of the company, strategic goals, project portfolio, services, products, partnerships, and external relationships. This information should be documented. If the organization does not have it, it would be a good practice to start on it.

3.3.1.2 Threat and resilience assessment

Once there is a clear idea of the organization, the next step is to understand how the organization perceives the risk. It is going to be necessary to review the criteria existent for risk tolerance and risk appetite. If it is not available this is the moment to discuss it.

3.3.1.3 Stakeholders and regulatory analysis

It includes the identification of the different stakeholders and regulations (or legal implications) that can apply to the organization regarding the continuity of their services and products. Once there is an understanding of how the organization works and what is important to them, the next step is to align the BCMS with the business organizational strategy. This alignment is possible through the establishment of a BCM scope which includes every aspect important for the continuity of the organization. The scope can be divided into five sections: building (premises), equipment (including critical documentation), technology, human resources, and third parties. In addition, this scope should take into consideration regulations that can apply to the organization and relations with stakeholders that need to be covered. As it would be expected, the scope of the BCM will vary among organizations and also according to the risk appetite that the organization is willing to accept. A good practice, to achieve a scope that covers all that is really important, is linking the corporate analysis, stakeholders and regulatory analysis with the business strategy and business plan (short and long-term goals and plan to achieve them). This documentation can be used to perform the first scope draft. Later, when the BIA is performed, the scope can suffer changes. It is important to clarify that the scope is not static. It is actually dynamic and it can be changing according to the organization change or new regulations appear. At this point, in the BCMS development, the scope can be an initial idea which is going to be more mature once the BIA is performed. Deliverables: BCM scope, risk scale.

3.3.2 Clause 6 – Leadership

As part of the result from the previous section, the organization should already have defined the BCM scope. The next step is to define actions that guarantee the commitment of the top management in the BCMS. It is important because, without a high level of commitment, it is not going to be possible to achieve the drivers to promote the BCMS along the organization. Once these actions have been defined, the next step is assess and measure the level of commitment of the top management with the BCMS. Evidence of the commitment can be the designation of dedicated resources for the BCMS (people, budget, technology), existence of documentation related to business continuity (BC policy), and an established organizational structure for the BCMS. The organization structure should be reviewed and updated it (in case a BCMS is already in place) or created it during the pre-implementation process in case it does not exist already. It is very important that the organizational structure should include a champion. This person is going to be the link between the top management and the contingency team. The champion is going to be in charge of the implementation of the BCMS and encouraging the BCM culture along the whole organization while guaranteeing the support from the top management. Following the establishment of the structure, it is necessary to develop a BC policy. It should be created by the contingency team. Once the policy has been created it should be transmitted to all the organization. Top management commitment can be perceived through the support of the performance of all the activities related to the operations of the BCMS, assessment of these activities, and improvements of them. Deliverables: BCM structure with clear roles and responsibilities, BCM policy.

3.3.3 Clause 7 – Planning

Once the scope of the BCM has been established and there is a clear BCM structure is possible to continue with the BCM objectives. The BCM champion can be the person in charge of the definition of the different objectives. The objectives reflect the goals that the organization wants to achieve related to the performance of the different elements of the BCMS. Gibb and Buchannan (2006) supports that the objectives “should be specific, measurable, attainable, relevant, and time-based (i.e. SMART)” (p.131). These characteristics will help the organization to evaluate the degree of success in the accomplishment of the different goals. Once the objectives have been stated, the organization should evaluate the risks and threats that would affect the accomplishment of these goals. An option to start, the development of the objectives, is link the BCM scope, with actions that will allow the organization to cover the defined scope. The following is an example of a BCMS objective:
  • Guaranteeing the continuity of the critical operations during an adverse event through the invocation and implementation of the business continuity strategies (technological strategies and alternate processes).
Deliverables: BCM objectives.

3.3.4 Clause 8 – Support

As was mentioned previously, the allocation of resources plays a crucial role in the development of the BCMS. Top management should assign the adequate resources to allow continuity of operations. These resources include dedicated budget, personnel, and technologies. In the case of the personnel, top management should ensure that the members of the different business contingency teams have the knowledge and skills to perform their tasks. Furthermore, all of the organization’s members should be aware of the importance of the BCMS, how their job can impact it, and how to act in the case of a disruption. This clause makes special mention about the enforcement of competence and awareness. It is important to state the difference between competence and awareness. Competence can be defined as the skills needed to perform a specific activity while awareness, according to the BSI Institute (2011) refers to “create understanding of basic BCM issues and limitations” (p.6). In order to guarantee the adequacy of the BCMS implementation and its constant improvement it is necessary the definition of minimum requirements of knowledge and skills of the people involved directly in the activities to support the BCMS. This information should be displayed on the jobs description. Furthermore, it is necessary to ensure their preparedness according to the requirements defined. This is possible through the design and execution of a competence program. Wong and Shi (2015) stated the importance of the application of a Training Needs Analysis (TNA). It will help the organization to know where their people are and where they need to focus on. Furthermore an awareness program also should be created to promote a BCM organizational culture. This program should be directed to all the organization to raise awareness of the importance of BCM and, to make the workers understand how their activities and attitude can impact the whole BCM. Following competence and awareness, the clause mentions a third element to consider: communications. Creating a communication plan will help the organization to structure how to communicate the different messages during and after an incident. This plan should include at least what has to be communicated, when it has to be communicated, and to whom. On the other hand, another option for the communication management is outsource this activity. This option will help the organization, during the occurrence of an adverse event, to focus on the implementation of other activities such as the execution of business continuity strategies, recovery strategies, and in the process of return to the normal operations. Finally, as part of the different activities to support and strengthen the BCMS, there should be implemented a documentation management process. Having a documentation management process allows the organization to keep control of the documentation of the BCM processes and to improve it in regular basis. A document management process includes a complete lifecycle of the overall documentation (creation, access, protection, retention, storage, and maintenance). This process should be aligned with the existent procedures for manage documentation in the organization. Deliverables: Training Needs Analysis template, Competence and Awareness Program, Communication Plan, Policy and procedure for document management.

3.3.5 Clause 9 – Operation

It is not possible to highlight one phase as the most important. All the phases represent an important part of the overall system. However, this phase can be considered as one of the cornerstones of the whole project. This is because it covers some of the complex activities: Business impact analysis (BIA), Risk analysis (RA), Developing a Business Continuity Strategy, Establishing and Implementing Business Continuity Procedures, and Exercising and Testing the Business Continuity Procedures. It is important to mention that the Standard ISO 22301 does not indicate the order of performance of the BIA and RA. It establishes that the order will depend on the methodology used to perform the analysis. This guide suggests to perform first the BIA and then the RA.

3.3.5.1 Business Impact Analysis – BIA

Performing a BIA provides several benefits to the organization. The analysis offers a complete overview of the organization. It covers three main goals. First, identification of processes which, once stopped, will strongly affect the delivery of critical products and services impacting the organization. It is necessary to include their timescales indicating how long the organization can operate without these processes and when they should be recovered (MTPoD, RPO and, RTO). Second, identification of the impact (financial, non-financial and operational) that an incident (worst case scenario) could cause to the organization. Third, the prioritization of the critical processes, which means the order in which these processes should be recovered after an outage. Furthermore, the BIA should specify the minimum level of resources needed to keep the processes working and internal/external dependencies. The BIA is a very important analysis which should be done very carefully. It is the input for other analysis as Risk Assessment and the Business Strategies. To get a BIA with real information a good practice is to start is creating a processes map. The processes map should be performed taken into consideration all the locations, of the organization, where processes take place. This map should include:
  • Premises: all the business units of the organization and their respective processes.
  • Resources and Requirements: legal requirements, single points of failures, technology, dependencies (internal and externals), and people who are involve in the processes.
  • Times: critical period of time when the processes should be performed in order to deliver a product or to comply with a regulation, contract or service.
Impact (financial / non-financial / operational): specify the impact of the nonperformance of the processes. Once the map has been completed, the next step is the identification of the critical processes. Critical processes are those that once stopped will impact negatively the organization (financial/reputational) and/or those who represent important agreements with third parties (regulators, stakeholders, suppliers, among others). Finally, RTO, RPO, and MTPoD need to be identified for each critical process. Tammineedi defined RTO as “target time set for resumption of product, service or activity delivery after an incident” and RPO as “the point in time to which a system’s data must be restored after an outage” (p.42). In addition, the Dictionary of Business Continuity Management Terms (2011) defines MTPoD as “The duration after which an organization’s viability will be irrevocably threatened if a product or service delivery cannot be resumed” (p.32). The organization should start with the identification of the MTPoD of the critical processes and then continue with the RTO and RPO. These measures are crucial for the organization because enable them to be aware of how fast the operations need to be resumed to avoid adverse impact to the organization. The definition of this measures will depend in certain aspects of the organization such as their technological platform and the cost the organization is willing to pay to recover without suffer the impact of an adverse event.The information presented in the processes map can also be used to review the BCMS scope already defined. It is possible to find information in the processes map that should be included in the scope. In that case, this is a good moment to update the scope.

3.3.5.2 Risk Assessment – RA

The main purpose of this analysis is the identification and the assessment of all the threats that could affect the critical elements of the BCMS. The Risk Analysis process includes the identification of threats, evaluation of the likelihood and impact of these threats, application of countermeasure to avoid, handle or mitigate the risks, and finally actions in order to monitor and review that the controls are in place and the protected assets are safe (Whitman, Mattord, & Green, 2014). To start the Risk Assessment it is important to identify and categorize the different threats and hazards that could affect the organization. The NFPA 1600 provides a list of hazards that could be used as a starting point. However, the organization should evaluate other threats that are specific to them. Once the organization has identified the risks, a methodology to implement the risk assessment needs to be selected. This study proposes the use of the combination of two methodologies: HAZOP (Hazard and Operability Study) and FMEA (Failure Mode and effects analysis). Li, Gupta and, Alloco stated that both methodologies help organizations to identify failures in their process and countermeasures to minimize the impact of these failures (p. 6). The combination of 42 these two methodologies will allow the organization to work with a qualitative analysis (HAZOP) and quantitative analysis (FMEA). Stamatis (2003) explained that for every risk three components need to be evaluated: severity (S), Occurrence (O), and the detecting rating (D). To evaluate these parameters a scale from 1 to 10 can be used. Through the equation S x O x D it is possible to calculate the Risk Priority Number. The result of this calculation will help to prioritize the order in which the risks should be addressed. To have a more accurate prioritize list of risk is possible calculate the criticality doing S x O. Risks with a higher criticality should be address first. This methodology (FMEA) is also used by Tammineedi (2010) for the assessment of Site Risk Assessment during the implementation of BCM through a standards-based approach. Finally, in order to develop the countermeasure the organization should apply the HAZOP methodology. Hyatt (2004) stated the following steps in order to apply HAZOP:
  • Develop a breakdown of the critical process
  • Describe the design intent of all the parts of the process that could be affected (expected behavior of the component selected)
  • Select a process parameter (parameter that is important for the expected behavior of the component)
  • Apply a guide word (word, used to imply an unexpected behavior, such as more, less, too early, too late, among others)
  • Determine the cause of failure (link this with the risks already identified)
  • Evaluate consequences/problems
  • Recommend actions

3.3.5.3 Business Continuity Strategy

The purpose of the establishment of different business continuity strategies is to decrease the impact of an incident and, as its name says, to “continue” operations while the incident is taking place. With the BIA and RA results in mind, the organization should develop their BC strategies. The strategies can be classified into actions to mitigate the risk of occurrence, technological strategies, and alternate processes.
  • Actions to mitigate the risk of occurrence: these actions can be applied to the different resources of the BCM such as premises, equipment, technology, human resources and, vendors. The strategies developed here are actions in order to avoid or minimize the impact of an event. For example: emergency evacuation tests, installation of fire extinguishers, and training in the use of them, among others.
  • Technological strategies: steps to follow in order to recover the core system and other critical applications during an adverse event (Disaster Recovery Plan).
  • Alternate processes: activities that would be performed to recover the continuity of the operations. Some examples of alternate processes are allow an outsourcing to continue with the critical operations or performing the critical operations manually.
  • Alternate site: there are different options to move the operations to an alternate site. These options include: cold site, warm site, hot site and companies’ agreements. The organization should stablish which option is feasible for them.

3.3.5.4 Business Continuity Procedures

The Business Continuity Procedures are all the actions required in order to identify and face an adverse event, respond to the event, operate in contingency, and finally recover and return to the normal operations. These procedures can be divided into three phases: activation of the procedures, operations from alternate site, recovery of the critical processes, and return to normal operation. The organization should establish an incident response structure which will be in charge of the identification of the adverse events, alert the organization and, for the escalation of the incident.
      • Activation of the procedures: the contingency team should approve the activation of the contingency state.
      • Operations from alternate site: accordance to the nature of the event, the business continuity team should determine if it is necessary or not to move to an alternate site (this site should be defined in the alternate site strategy) and continue operations from there.
      • Recovery of critical Process: the previous stage allows the responsible teams of performing the strategies pre-established to work in contingency (technology strategies and alternate processes). Parallel to these activities, other teams should be working in performing the steps to fix damages caused by the incident.
      • Return to normal operation: once the damages were fixed it is possible to perform the activities to return to normal operation. During these phases, the organization should be executing their communication plan which should include the workflow of communications, pre-established messages and, the interested parties who need to be considered.
      • The Business Continuity Plan is a document where is going to reside all the information related to the organizational structure in charge during an incident, roles and responsibilities, continuity strategies, business continuity procedures, and communication procedures.

      3.3.5.5 Exercising and Testing

      The only way to be close to guaranteeing that all the continuity process are going to work during a disaster is through exercise and testing. These activities should be done on a regular basis. Sometimes, it can be believed that testing some procedures can be chaotic due to the fact that it involves interruptions in the daily functions. However, there are different kinds of exercises that help to train the critical staff without interrupt the organization’s operations. Wong and Shi (2015) stated that exercises can be classified into five categories: orientation, desktop, drill, functional exercise and full-scale exercise. The last two involve complex scenarios. These tests need more time to be designed and the risk level that they present to the organization is higher than the first three. Furthermore, any of these tests will require dedicated resources (time and staff) to be performed. Like any other activity, exercises and tests should be planned, coordinated, and performed. Once they have been performed the lessons learned have to be discussed among all the participants and, finally, documented. These activities will help the organization to know the improvements that are needed in the different procedures and recommendation to achieve the level required for an effective BCMS. Deliverables: BIA, RA, BC Strategies, Incident Management Structure, Incident Management Policy and Procedures, Business Continuity Plan, Disaster Recovery Plan, Exercise and Testing Plan.

      3.3.6 Clause 10 – Performance Evaluation

      The importance of this phase lies in the fact that without measurement it is impossible to know how the system is working or even if it is working or not. Due to this fact, this phase proposes to “check” or to evaluate the actual BCMS. According to the necessities of every organization different factors of the BCMS can be assessed. In order to do this, the organization should establish their measurement process and the implementation of internal audits and management reviews.

      3.3.6.1 Establishment of Measures

      The evaluation criteria will vary from organization to organization. However, many organizations can agree on common evaluation criteria. Wong and Shi (2015) stated that some factors to be used as measures, metrics or performance indicators can be business continuity leadership, contribution to critical operations, the design of the BCM, BCM teams and individual’s performance, and adaptability of the BCMS. From a technical perspective, the measures and metrics can be based on uptime, scalability, reliability, availability, recovery time, and recovery point of the technological systems (Bajgoric, 2014). Bajgoric (2014) stated the necessity of continuous computing technologies as part of a systematic framework for the implementation of BCM. The main purpose of these technologies is to improve the availability, reliability and scalability of information infrastructure. In addition, Bajgoric (2014) stated that these technologies can be implemented into three layers: server operating system (layer 1), storage, backup, and recovery (layer 2), and networking infrastructure (layer 3). Taking this into consideration the organization should specify the expected normal behavior of these component in order to measure and control it. To guarantee continuity of the different services it is important that the organization establishes performance indicators, which include the management and the technical side. In the case of the technical metrics, the organization should previously evaluate their technological platform. Based on this, the measures for reliability, availability, and scalability should be indicated.

      3.3.6.2 Implementing an Internal Audit Process

      The audit process should be performed by an independent entity. If the organization does not have an audit department it can be performed by a third party. The auditing process should be accompanied by the proper planning and coordination stages. It must be performed on a regular basis and also taking into consideration the results of the previous audit. This will allow the auditors to perform follow-ups. The audit should include the evaluation of the design and operational effectiveness of the BCMS. Furthermore, the metrics and measures established in the previous step should also be assessed.

      3.3.6.3 Performing Management Reviews

      The importance of these reviews lies in the fact that they allow the organization to perform the necessary changes in the BCMS (scope, plans, and improvements in processes or performance indicators, among others). These reviews let the BCMS be updated because it keep them in contact with the external enablers as new regulations appear or new risks arise. Furthermore, these reviews help to perform follow-ups of the nonconformities found during the audits. Deliverables: Performance Indicators, Performance Indicators Report, Audits Report, Management Review Reports.

      3.3.7 Clause 11 – Improvement

      This phase concentrates on the analysis of nonconformities, evaluation and implementation of countermeasures to handle and/or delete the nonconformities found and, follow-ups of these countermeasures. The final purpose of this continual improvement cycle is to remediate nonconformities and to allow constant enhancement of the BCMS. The nonconformities can be categorize into documentation, leadership, process and procedures, training and awareness, among others. For example, the inexistence of a communication plan is a nonconformity related to documentation. These nonconformities are identified in the previous stage, performance evaluation, through any of the different assessments. The organization should develop and implement a remediation procedure in order to be able to analyze, evaluate, and correct the nonconformities detected. This procedure should explain the steps to follow in order to be able to propose, approve, and implement countermeasures or correction actions.

      3.4 Summary

      This article presented an analysis of the ISO 22301 standard and how to use the standard, other frameworks, techniques, and methodologies to implement a holistic BCMS. This article goes step by step covering the different clauses of the standard. Moreover, the reader has the opportunity of learning the activities per clause that need to be performed. Furthermore, at the end of every clause are provided the deliverables or outcomes. It will help the reader to understand what is the result or product of each phase. The next article will provide the results of a BCMS analysis performed in a financial entity in a Latin American country. REFERENCES Amaratunga, D., Baldri, D., Sarshar, M., & Newton, R. (2002). Quantitative and Qualitative Research in the built environment: Application of “mixed” research approach. Work Study, 17-31. Bajgoric, N. (2014). Business continuity management: a systemic framework for implementation. Kybernetes, 156-177. Bird, L. (2011, September). Dictionary of Business Continuity Management Terms. Retrieved from Business Continuity Institute: http://www.thebci.org/glossary.pdf Brennan, J., & Mattice, L. (2014). Resiliency: Survival of the Fittest. Security, 26-27. Ee, H. (2014). Business Continuity 2014: From traditional to integrated Business Continuity Management. Journal of Business Continuity & Emergency Planning, 102-105. Gibb, F. & Buchannan, S. (2006). A framework for business continuity management. International Journal of Information Management. 128-141. Green, C. (2014). Measuring business continuity programmes in large organisations. Journal of Business Continuity & Emergency Planning. 71-81. Gupta, P. (2006). Beyond PDCA- A New Process Management Model. Quality Progress, 45-52. Herbane, B. (2010). The evolution of Business Continuity Management: A historical review of practices and drivers. Business History, 25. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management. United Kingdom: John Wiley & Sons. 64 ISACA. (2012). Business Continuity Management: Emerging Trends. ISACA Journal, 1- 15. ISO 22301: Societal Security – Business continuity management systems – Requirements. International Organization for Standardization, Geneva, Switzerland. Available at: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber= 50038 (accesed 21st March, 2016) Jarvelainen, J. (2013). IT incidents and business impacts: Validating a framework for continuity management in information systems. International Journal of Information Management, 583-588. Jedynak, P. (2013). Business Continuity Management The Perspective of Management Science. International Journal of Contemporary Management, 85-96. Kadar, M. (2015). Development and implementation of a business continuity management risk index. Journal of Business Continuity & Emergency Planning. 238-251. Li, X., Gupta, J., & Allocco, M. (2015). Hazard and Operability (HAZOP) Analysis of Safety-Related Scientific Software. International Journal of Reliability, Quality and Safety Engineering. McCusker K. & Gunaydin S. (2015). Research using qualitative, quantitative or mixed methods and choice based on the research. Perfusion. 537-542. McLaughlin, P. (2005). NFPA 1600: ground rules for disaster-preparedness. Cabling Installation & Maintenance, 38-40. 65 N.A. (2011). ISO 22301 World. Retrieved from BS 25999 and ISO 22301 Introduction: http://www.25999.info/ Panama. Ministry of Economy and Finance.(2008).Executive Decree No 52. Panama, Panama. Ministry of Economy and Finance. Pasquini, A., & Galie, E. (2013). COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process. Symposium from Young Researchers, (pp. 67-76). Budapest. Randeree, K., Maha, A., & Narwani, A. (2012). A business continuity management maturity model for the UAE banking sector. Business Process Management Journal, 472-492. Rodgers, J. (2001). A Sense of Urgency. Bank Systems and Technology, 33-34. Samson, P. (2013). Beyond the 48 hours. Financial Executive, 54-57. Singh, K. (2015). Creating your own qualitative research approach: selecting, integrating and operationalizing philosophy, methodology and methods. SAGE. 132-146. Tammineedi, R. (2010). Business Continuity Management: A Standards Based – Approached. Information Security Journal: A Global Perspective , 36-50. Torabi, S.A., Rezaei, H., & Sahebjamnia,N. (2014). A new framework for business impact analysis in business continuity management (with a case study). Safety Science. 309-323. Young, R. (2015). Survival of Prepared, not the fittest energy company: . Oil, Gas & Energy Quarterly, 411-432. Zawada, B. (2014). The practical application of ISO 22301. Journal of Business Continuity & Emergency Planning, 83-90.

      BRCCI – Business Resilience Certification Consortium International (www.brcci.org)

      We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning: 1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program. 2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices. 3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:
          • ISO 22301: Business Continuity Management Systems – Requirements
          • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
          • ITIL: Information Technology Infrastructure Library
      For information on the above program, please contact BRCCI (www.brcci.org, 1-888-962-7224).
On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (brcci.org), is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new