The new business continuity and disaster recovery standard – ISO 22312 versus ISO 22301

New business continuity and disaster recovery standard

CIOs, Business continuity practitioners, vendors and consultants have ISO 22313 (see https://www.e-janco.com/DRP.htm) as a handy tool that addresses most of the planning and operational issues.  ISO 22313 provides detailed guidance on how a business continuity management system (BCMS) should operate. It is a complement to ISO 22301, which is the new global standard for business continuity.

Disaster Recovery
Order Disaster Plan TemplateDisaster Plan Sample

ISO 22301 provides the strategic guidance and ISO 22313 defines the tactical requirements that need to be followed. The two ISO standards map to each other, so if you are working on an issue in ISO 22301 and need additional background and more detailed content for your planning purposes one can use ISO 22313 for a better understanding of what the tactical actions should be.

Section 8.2 of ISO 22313 addresses business impact analysis (BIA) and risk assessment (RA) (see also https://www.e-janco.com/Business_Impact_Analyis_BIA.htm and https://www.e-janco.com/Threat.htm), two very important discovery activities when developing a business continuity plan. In ISO 22313, you define the issues to be researched and validated in the BIA and RA, as well as guidance on how to conduct each.

When you create an internal document or a presentation on business continuity to senior management, ISO 22313 provides the road map that you should follow in business continuity planning and helps to answer questions that management has.

When writing policies and procedures for your BCMS, use language contained in ISO 22313 to help you frame your policy statements and procedures.

Defining the scope of the BCMS is a challenge for many. Organizations need to know what the breath of the plan is — does the BC plan addresses the entire organization, individual departments, business processes (e.g., manufacturing), specific corporate locations or something else. Use ISO 22313 to as the broad outline for the plan.

Once that is accomplished, securing senior management support and funding are two key activities in the early stages of a business continuity project. The level of management commitment to the project can be easily defined using the standard as a guide.

Resources, in addition to people, are needed to develop a BCMS and its associated plans. ISO 22313 helps you identify the right mix of resources, including staff, facilities, technology, information and management controls.

Incident response (see https://www.e-janco.com/Incident-Communication-Plan-Policy.html) defines the response to an out-of-normal condition and delineates what happens, who is responsible and what steps need to be taken to address the situation. ISO 22313 outlines the steps to be taken in an incident response, as well as the responsibilities of the incident response team.

ISO 22313 lists numerous activities that can help spread the program’s messages, such as internal websites, bulletin boards and senior management briefing papers.

 

When a disaster occurs, communicating information about the incident to employees, stakeholders and other interested parties is essential. But who should be informed and what kinds of messages should be disseminated? The standard provides useful advice on how to address these issues.

If you’re not sure how much of your program to document, or what kinds of documents are necessary, refer to the standard, since it provides a comprehensive list of program/plan documents and guidance on how to maintain and safely store them.

Assuming your organization has already adopted an existing business continuity standard and is considering a change to the new global standard, the transition will be much easier using ISO 22313.

Organizations need guidance on how to structure BC plans, define strategies for business recovery and resumption, plan and conduct exercises, coordinate BC plans with technology disaster recovery plans, maintain plans, and review and audit plans to ensure they are compliant with the standards. Use ISO 22313 for all of these activities. Not only does it describe what must be done, but also provides suggestions on how to perform the necessary activities.

Author: Victor Janulaitis

M. Victor Janulaitis is the CEO of Janco Associates. He has taught at the USC Graduate School of Business, been a guest lecturer at the UCLA’s Anderson School of Business, a Graduate School at Harvard University, and several other universities in various programs.