ISO 22301 Business Continuity Management System Certification: organisational resilience and capacity to respond effectively to critical events

ISO 22301" Societal security - Business continuity management systems - Requirements" is the international standard designed to help organisations identify potential threats to their business processes, and to build effective backup systems and processes to safeguard their interests and the interests of their stakeholders. The standard specifies the requirements for planning, implementing, monitoring, reviewing and improving an organisation's business continuity management system, with a view to reducing the operational impact of interruptions.

The aim of applying this standard within an organisation is to ensure that an adequate plan is in place to guarantee the continuity of essential services in accordance with service agreements established by the market or with customers. The objective is to ensure that organisations have the capacity to react to incidents and respond to emergencies and disasters in such a way that, in the event of a crisis, they can ensure the continuity of their supply of products and services, safeguard their personnel and corporate image, and carry on producing and selling their products and services. 

The standard is applicable to all organisations that want to define and improve the way they manage business continuity and demonstrate the solidity of their system to stakeholders. In particular, it is recommended for companies that operate in high-risk areas, such as public utilities, financial services, oil and gas, transport, telecommunications and food production, or in which operational continuity is a critical factor, such as in the public sector.

ISO 22301 is a management standard that can be fully integrated with other ISO standards, such as ISO 9001.

ISO 22301

ISO 22301 relates to business continuity management and specifies the requirements for planning, establishing, implementing, operating, monitoring, maintaining and continuously improving a documented management system aimed at protection, reduction of the risk of occurrence, preparation, response and recovery in relation to destabilising events when they occur. The purpose of the standard is to:

  • Provide a consistent infrastructure, based on international best practices, to manage business continuity.
  • Identify the possible impacts that threaten an organisation and provide a model for building resilience and the capacity to react effectively in order to safeguard the interests of the main stakeholders, and the reputation, brand and activities that generate added value.
  • Proactively improve the ability to withstand incidents (resilience) that could interrupt critical activities on which the achievement of key objectives depends.
  • Provide a proven method for restoring the ability to provide critical products and services to a predefined level and within a predetermined time, following an interruption.
  • Provide an adequate response aimed at managing an interruption.
  • Help provide a clear understanding of how the entire organisation works and identify opportunities for improvement.
  • Provide an opportunity to reduce insurance premiums associated with business interruption.

The benefits of ISO 22301 certification

ISO 22301 certification consists in verifying the adequacy of the management system with particular reference to the following factors: means of identification of the phenomena that might impact on the business, analysis of the resulting risks in the impact assessment, definition of business monitoring and governance systems, development of plans and programmes aimed at minimising impacts, development of procedures for managing emergency situations. Business continuity management system certification helps organisations to:

  • Ensure compliance with contractual and legislative requirements
  • Enhance their credibility and visibility, safeguard their image and assets and facilitate the restoration of continuity
  • Reduce the costs of incidents
  • Effectively target their investments in implementing incident management plans and business continuity plans
  • Ensure and provide evidence to stakeholders that the organisation has implemented all the necessary tools and technical and organisational measures to safeguard the delivery of critical products and services
  • Provide a consistent infrastructure, based on international best practices, to manage business continuity
  • Identify the possible impacts that threaten an organisation and provide a model for building resilience and the capacity to react effectively
  • Provide a proven method for restoring the ability to provide critical products and services to a predefined level and within a predetermined time, following an interruption.
  • Provide an adequate response aimed at managing an interruption
  • Help provide a clear understanding of how the entire organisation works and identify opportunities for improvement
  • Provide an opportunity to reduce insurance premiums associated with business interruption

Business Continuity Management System Certification: industries concerned and areas of attention

The ability to ensure the supply of products and/or services in the event of serious incidents of various types (such as natural disasters, failures, strikes, acts of terrorism or vandalism, etc.) is now an imperative for all organisations. Against this backdrop, it is worth emphasising that business continuity in general cannot be achieved simply by introducing technical measures, but requires adequate organisation and appropriate procedures. Furthermore, the management of business continuity relies heavily on the participation of all key personnel, and in certain cases also the participation of suppliers, customers and other stakeholders. Organisations must therefore identify the specific critical threats they face according to the sector they work in.

ISO 22301 certification for the financial sector

The world of financial services covers a range of sectors, from banking to insurance, all of which have the common feature of needing to use network systems to carry out monetary and data transactions. Sector-specific factors include:

  • Ensuring the continuity of transactions;
  • Protecting and recovering data;
  • Restoring critical services within established times.

The banking sector and consequently its strategic partners can use the certification of their BCMS to provide objective evidence of its compliance with Bank of Italy directives aimed at ensuring business continuity.

ISO 22301 certification for utility companies

Suppliers of energy, telecommunications, transport, etc. form part of every country’s critical infrastructures. The transposition of relevant European directives will lead to the implementation of plans to ensure continuity of supply or service, and BCMS certification will be the natural evolution to ensure the updating, adequacy and continuous improvement of management systems.

ISO 22301 certification for trade and industry

Trade and industry needs to ensure the continuity of its production or service delivery in the wake of a disaster by predicting possible scenarios in advance and being trained and prepared to ensure the survival of their organisation, and ensuring that their critical suppliers are too. It is not enough to be optimistic and proceed on the basis that extreme events will never happen: it is better to be prepared for the worst. By certifying your BCMS, you also gain an advantage over your competitors in terms of image and opportunities.

ISO 22301 certification for the public sector

The public sector encompasses many different areas, for which the subject of operational continuity is vitally important. This applies in particular to the public administration in the strictest sense, namely defence, healthcare and the provision of services to citizens. All public sector agencies should have a clear understanding of their organisation and the threats it may be exposed to, analyse the possible scenarios and impacts to their services and infrastructures and draw up plans in advance to reduce the impacts of disasters, so as to be able to manage incidents and restore their capabilities effectively. Certifying your business continuity management system means providing a guarantee that your plans are coherent, up to date, effective, have been tested by means of appropriate drills and are periodically reviewed and improved.

 Certification for CSQ schemes is awarded to organisations that operate in accordance with the applicable standards. Certificates are valid for three years. The audits are planned on the basis of the customer’s requirements and in accordance with international standards. After the award of the certificate, the organisation undergoes periodic audits and an overall system review every three years. The auditors make on-site visits to organisations to analyse their ability to plan and manage their business processes. Management system certification is the endorsement enjoyed by organisations that have chosen to equip themselves with efficient management systems and suitable skills and structures, aimed at continuous improvement. And the higher the prestige of the awarding body, the higher the value of the guarantee. Equipped with state-of-the-art technology, our laboratories have full capability to put products through all the checks required by the major European directives and international standards. The certifications issued by IMQ are synonymous with trust. They guarantee safety, performance, efficiency and quality standards. More than 10,000 companies have turned to IMQ to certify their products and stand out on the market. Notified body for the main EU directives, IMQ offers tests and CE certifications to assess the conformity of the products to the requirements required to be marketed on the European market. Inspections and audits validate the conformity of electrical installations, equipment, supplies and services with the applicable technical and legislative specifications.