Business Continuity Standards & Frameworks

The meaning of ‘business’ refers to any particular field of endeavour, including governments. The current pandemic has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and disruptive incidents. Currently, COVID-19 proved that governments and organizations of any size could have significantly benefited from implementing and maintaining Business Continuity Standards.

First, what is Business Continuity?

Business continuity encompasses a loosely defined set of planning, preparatory and related activities. They are intended to ensure that an organization’s critical business functions will continue to operate despite serious incidents or disasters that might otherwise have interrupted them. With proper planning, an organization will recover to an operational state within a reasonably short period

Business continuity includes three key elements: resilience, recovery, and contingency.

  • Resilience is the critical business functions and the supporting infrastructure designed to be materially unaffected by most disruptions, for example, through redundancy and spare capacity.
  • Recovery is the arrangements made to recover or restore critical and less critical business functions that fail for some reason.
  • Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Enter the business continuity standards. They ensure consistency while adopting a specific business continuity methodology. Following guidelines and prescribed procedures also give any group the possibility of quick turnaround times.

Business continuity standards broadly encompass the following aspects:

  • Quickly establishing resource requirements for restoring operations as well as keeping them operational;
  • Recovery procedures that are prioritized based on critically of operations;
  • Protecting employees, resource and assets from legal scrutiny by providing valid evidence of preventive, response and restoration measures;
  • Designing plans at an organizational level that can be integrated across organizations to leverage a consolidated response as and when required

Many have the misconception that ISO standards are relevant only in the case of big corporations and governments. Budgetary constraints might be a deterrent in the case of some ISO standards. But others, like ISO 22301 in particular, are agnostic as far as organizational size is concerned. And regardless of the sector to which the organization belongs, the ISO 22301 standard is just as adequate.

The following three are the most commonly referred to as ISO standards when organizations design a business continuity capability.

ISO/IEC 22301 Societal Security – Business Continuity Management Systems – Requirements – This business continuity standard provides a framework for response strategies and recovery measures through a documented management system. Activities include planning, design, execution, operability facilitation, supervision, evaluation, maintenance and periodic improvements. It will help organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruptions of any type. Incidents can disrupt an organization and apply ISO 22301 to ensure that organizations can respond and continue their operations. Incidents take many forms ranging from large-scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact, making business continuity management relevant at all times. ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a BCMS. It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise.

ISO/IEC 22313:2020 Security and Resilience — Business Continuity Management Systems — Guidance on the use of ISO 22301 – This document gives guidance and recommendations for applying the Business Continuity Management System (BCMS) given in ISO 22301. The advice and recommendations are based on good international practice.

This document applies to organizations that:

  • Implement, maintain and improve a BCMS;
  • Seek to ensure conformity with stated business continuity policy;
  • Need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
  • Seek to enhance their resilience through the practical application of the BCMS.

The guidance and recommendations apply to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization’s operating environment and complexity.

ISO/IEC 27001:2013 Information Technology – Security Techniques – Information Security Management Systems (ISMS) are the focus area of this ISO standard. Activities include design, execution, maintenance and creating a culture of ongoing improvement. ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the organization’s context. It also includes provisions for the assessment and treatment of information security risks tailored to the organization’s needs. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to apply to all organizations, regardless of type, size or nature.

Other standards relevant to business continuity management and planning include:

ISO/IEC 22320:2018 Security and Resilience – Emergency Management – Guidelines for Incident Management: ISO 22320 defines incident response requirements and allows public and private organizations to establish and enhance their ability to respond to emergencies regardless of their magnitude. ISO 22320 helps mitigate threats and damages and ensures continuity of necessary facilities such as water and food supplies, health, rescue services, fuel delivery, and electricity. ISO 22310 ensures that all related parties are on the same page during a disaster to minimize the chances of misunderstandings and provide more effective use of the combined resources. It encourages the development and implementation of incident response measures to ensure a response suitable to the affected population’s needs. 

ISO 27000 – This consists of a collection of regulatory norms relevant to ISMS. Information systems security is a focus area under this standard, including financial data, employee profiles, customer details and third-party databases.

  • ISO/IEC 27002:2013 Information Technology – Security Techniques – Code of Practice for Information Security Controls  – this standard gives a more detailed description of the implementation of controls and is mostly applied in the Do Phase (Implementation) ISO 27001.
  • ISO/IEC 27003:2010 Information Technology – Security Techniques – Information Security Management Systems – Guidance. ISO 27003 focuses on the critical aspects needed to successfully design and implement an Information Security Management System (ISMS) following ISO 27001:2005.
  • ISO/IEC 27004:2016 Information Technology – Security Techniques – Information Security Management – Monitoring, Measurement, Analysis and Evaluation. ISO 27004 guides the development and use of measures and measurement to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of rules, as specified in ISO/IEC 27001.
  • ISO/IEC 27005:2018 Information Technology – Security Techniques – Information Security Risk Management. ISO 27005 specifies methods for information risk assessment and treatment and is useful in the Plan Phase according to ISO 27001.
  • ISO/IEC TS 27008:2019 Information Technology – Security Techniques Guidelines for the Assessment of Information Security Controls. ISO 27008 guides reviewing the implementation and operation of controls, including technical compliance checking of information system controls, in compliance with an organization’s established information security standards.
  • ISO/IEC 27031:2011 Information Technology – Security Techniques– Guidelines for ICT Readiness for Business Continuity. ISO 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity. It provides a framework of methods and processes to identify and specify all aspects for improving an organization’s ICT readiness to ensure business continuity.
  • ISO/IEC 27035 Management Systems Standards – Information Security – Information Security Incident Management

ISO 28000:2007 Specification for Security Management Systems for the Supply Chain. ISO 28000 is a business continuity standard that outlines a security management system’s prerequisites from a supply chain management perspective. ISO 28000 specifies a security management system’s requirements, including those critical to the supply chain’s security assurance. Security management is linked to many other aspects of business management. Elements include all activities controlled or influenced by organizations that impact supply chain security. These different aspects should be considered directly, where and when they affect security management, including transporting these goods along the supply chain.

ISO 28000 applies to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

  • Establish, implement, maintain and improve a security management system;
  • Assure conformance with stated security management policy;
  • Demonstrate such conformance to others;
  • Seek certification/registration of its security management system by an Accredited third party Certification Body; or
  • Make a self-determination and self-declaration of conformance with ISO 28000.

There are legislative and regulatory codes that address some requirements in ISO 28000.

It is not the intention of ISO 28000 to require duplicative demonstration of conformance.

Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.

ISO 31000:2018 Risk Management – Guidelines. ISO 31000 provides high-level principles and generic guidelines for Risk Management. ISO 31000 is a generic risk management framework that can be applied to any organization regardless of its nature, type, or complexity. Risk treatment and efficient resource allocation are among the highlighted topics. ISO 31000 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. ISO 31000 provides a common approach to managing any risk and is not industry or sector-specific. ISO 31000 can be used throughout the organization’s life and can be applied to any activity, including decision-making at all levels.

ISO/IEC 38500:2015 Information technology – ISO 38500 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations. It also guides those advising, informing, or assisting governing bodies. They include the following:

  • executive managers;
  • members of groups monitoring the resources within the organization;
  • external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;
  • internal and external service providers (including consultants);
  • auditors.

ISO 38500 applies to the governance of the organization’s current and future use of IT, including management processes and decisions related to IT’s current and future use. IT specialists can control these processes within the organization, external service providers, or business units within the organization. It defines the governance of IT as a subset or domain of organizational management, or in the case of a corporation, corporate governance.

ISO 38500 applies to all organizations, including public and private companies, government entities, and not-for-profit organizations. It applies to organizations of all sizes, from the smallest to the largest, regardless of their use of IT.

The purpose of ISO 38500 is to promote effective, efficient, and acceptable use of IT in all organizations by

  • assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization’s governance of IT,
  • informing and guiding governing bodies in governing the use of IT in their organization, and
  • establishing a vocabulary for the governance of IT.

PD 25111:2010 Business Continuity Management – Guidance on human aspects of business continuity gives guidance on the planning and development of human resource strategies and policies for the critical phases following a disruption:

  • Coping with the immediate effects of the incident,
  • Managing people during the period of turmoil (the continuity stage), and
  • Supporting staff after recovery of normal operations

PD 25666:2010 Business Continuity Management – Guidance on exercising and testing for continuity and contingency programmes gives all organizations appropriate guidance on exercising, including testing activities, for continuity and contingency programmes. Arrangements for information technology (IT) systems also fall under this general guidance.