Identically adopts ISO 22313:2020, which gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice.
Table of contents
Header
About this publication
Preface
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
4.2.2 Legal and regulatory requirements
4.3 Determining the scope of the business continuity management system
4.3.1 General
4.3.2 Scope of the business continuity management system
4.3.3 Exclusions to scope
4.4 Business continuity management system
5 Leadership
5.1 Leadership and commitment
5.1.1 General
5.1.2 Top management
5.1.3 Other managerial roles
5.2 Policy
5.2.1 Establishing the business continuity policy
5.2.2 Communicating the business continuity policy
5.3 Roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 Determining risks and opportunities
6.1.2 Addressing risks and opportunities
6.2 Business continuity objectives and planning to achieve them
6.2.1 Establishing business continuity objectives
6.2.2 Determining business continuity objectives
6.3 Planning changes to the business continuity management system
7 Support
7.1 Resources
7.1.1 General
7.1.2 BCMS resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
7.5.3.1 Access to documented information
7.5.3.2 Types of control
8 Operation
8.1 Operational planning and control
8.1.1 General
8.1.2 Business continuity management
8.1.3 Maintaining business continuity
8.2 Business impact analysis and risk assessment
8.2.1 General
8.2.2 Business impact analysis
8.2.3 Risk assessment
8.3 Business continuity strategies and solutions
8.3.1 General
8.3.2 Identification of strategies and solutions
8.3.2.1 General
8.3.2.2 Protecting prioritized activities
8.3.2.3 Stabilizing, continuing, resuming and recovering prioritized activities
8.3.2.4 Mitigating, responding to and managing impacts
8.3.3 Selection of strategies and solutions
8.3.4 Resource requirements
8.3.4.1 General
8.3.4.2 People
8.3.4.2.1 General
8.3.4.2.2 Incident response
8.3.4.2.3 Resumption of activities
8.3.4.3 Information and data
8.3.4.4 Buildings, workplaces and associated utilities
8.3.4.5 Equipment and consumables
8.3.4.6 ICT systems
8.3.4.7 Transportation and logistics
8.3.4.8 Finance
8.3.4.9 Partners and the supply chain
8.3.5 Implementation of solutions
8.4 Business continuity plans and procedures
8.4.1 General
8.4.2 Response structure
8.4.2.1 Purpose
8.4.2.2 Design
8.4.2.3 Team capabilities
8.4.2.4 Team composition and guidance
8.4.3 Warning and communication
8.4.3.1 General
8.4.3.2 Alerting interested parties
8.4.4 Business continuity plans
8.4.4.1 General
8.4.4.2 Coverage
8.4.4.2.1 General
8.4.4.2.2 Responding to incidents
8.4.4.3 Content and usability
8.4.4.3.1 General
8.4.4.3.2 Guidance and supporting information
8.4.4.3.3 Usability
8.4.4.4 Incident/strategic management
8.4.4.5 Communications
8.4.4.6 Safety and welfare
8.4.4.7 Salvage and security
8.4.4.8 Resumption of prioritized activities
8.4.4.9 ICT systems
8.4.5 Recovery
8.5 Exercise programme
8.5.1 General
8.5.2 Design of the exercise programme
8.5.3 Exercising business continuity plans
8.6 Evaluation of business continuity documentation and capabilities
8.6.1 General
8.6.2 Measuring effectiveness
8.6.3 Outcomes
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
