Business Continuity, Disaster Recovery and ISO 22301
The UK Companies Act 2006 gave statutory status to what has long been a common law duty of company directors worldwide: to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence" (s.174).
The board of directors must ensure that the organisation has developed and tested business continuity and disaster recovery plans mitigating all risks facing the organisation.
These pages provide an introduction to these subjects and their associated standards.
On this page:
ISO 22301 (ISO22301) - The Business Continuity Standard
Launched in May 2012, ISO 22301 sets out the requirements for a Business Continuity Management System (BCMS). ISO22301 replaced the British BS25999-2 standard.
All organisations face business continuity risks. Did you know that:
80% of organisations with a well-planned and implemented business continuity plan are likely to survive a major business discontinuity?
only 20% of those without a business continuity plan are likely to survive?
over 90% of organisations that suffer a significant data loss are not in business two years later?
the Chartered Management Institutes 2012 report "Planning for the Worst" indicates that 39% of organisations still don't have a business continuity plan?
the same report stated that 81% of managers whose organisations activated a business continuity plan in the last 12 months agreed that it effectively reduced disruption?
backup is not the same as a business continuity plan, and terrorism should be specifically addressed?
Read more about ISO22301 »
ISO 22301 Training
Our ISO22301 Learning Pathway provides structured progression from foundation to advanced level, covering the knowledge and skills to plan, implement and audit an ISO22301-compliant BCMS.
ISO27031 - ICT Continuity Best Practice
ISO27031 provides recommendations specifically for ICT (information communications technology) continuity management within the overall business continuity framework provided by ISO22301. ISO27031 makes ISO22301 relevant to information and communications technology. Of course, it can also be used on a standalone basis should an organisation wish to tackle ICT continuity management specifically.
Purchase the ISO27031 standard here.
Civil Contingencies and Business Continuity Planning
In the UK, the Civil Contingencies Act 2004 sets out specific requirements for public bodies. It imposes a series of duties on local bodies in England and Wales, Scotland and Northern Ireland (known as "Category 1 responders"). These include the duty to assess the risk of an emergency occurring and to maintain plans for the purposes of responding to an emergency.
The range of Category 1 responders is broader than the range of local bodies which were subject to earlier legislation which has now been repealed. It includes certain bodies with functions which relate to health, the Environment Agency and the Secretary of State responsible for maritime and coastal emergency responses. The Act also provides a mechanism to impose duties on other local bodies ("Category 2 responders") to co-operate with, and to provide information to, Category 1 responders in connection with their civil protection duties.
Business Continuity Planning
Business continuity planning (BCP) involves the processes and procedures for the development, testing and maintenance of plans which will enable an organisation to continue operating during and after a disaster.
Plans are typically designed to cope with incidents affecting all the organisation's business-critical processes and activities, from failure of a single server all the way through to complete loss of a major facility. BCP is a response to an enterprise-level risk assessment.
Disaster Recovery Planning
Disaster Recovery Planning (DRP) usually takes place within the BCP framework. Disaster Recovery Plans are usually relatively technical and will focus on the recovery of specific operations, functions, sites, services or applications. A single BCP might contain or refer to a number of Disaster Recovery Plans. Best Practice for Disaster Recovery is set out in ISO/IEC 24762.
The business continuity management lifecycle usually includes a series of steps:
business impact analysis (BIA)
This process is described in Business Continuity Planning – a Step-by-Step Guide, as well as a selection of other authoritative books available from this site.
ISO22301: A Pocket Guide will help you understand international business continuity best practice, and provides guidance on the best way to implement a fit-for-purpose Business Continuity Management System (BCMS).
Essential Business Continuity Resources