This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

Business Continuity, Disaster Recovery and ISO 22301

The UK Companies Act 2006 gave statutory status to what has long been a common law duty of company directors worldwide: to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence" (s.174).

The board of directors must ensure that the organisation has developed and tested business continuity and disaster recovery plans mitigating all risks facing the organisation.

These pages provide an introduction to these subjects and their associated standards.

On this page:

ISO 22301 (ISO22301) - The Business Continuity Standard

Launched in May 2012, ISO 22301 sets out the requirements for a Business Continuity Management System (BCMS). ISO22301 replaced the British BS25999-2 standard.

All organisations face business continuity risks. Did you know that:

  • 80% of organisations with a well-planned and implemented business continuity plan are likely to survive a major business discontinuity?
  • only 20% of those without a business continuity plan are likely to survive?
  • over 90% of organisations that suffer a significant data loss are not in business two years later?
  • the Chartered Management Institutes 2012 report "Planning for the Worst" indicates that 39% of organisations still don't have a business continuity plan?
  • the same report stated that 81% of managers whose organisations activated a business continuity plan in the last 12 months agreed that it effectively reduced disruption?
  • backup is not the same as a business continuity plan, and terrorism should be specifically addressed?

Read more about ISO22301 »

ISO 22301 Training

Our ISO22301 Learning Pathway provides structured progression from foundation to advanced level, covering the knowledge and skills to plan, implement and audit an ISO22301-compliant BCMS.

BS 25999 - Business Continuity

BS 25999 (which replaced PAS56 on 27 November 2006) was the Best Practice Standard for business continuity plans. It has now been replaced by ISO22301.

For more information, please browse our selection of Business Continuity Planning Books, available both as ebooks and in paper format.

In additional, our team of expert Business Continuity consultants are able to offer effective and cost-efficient solutions to any problems you may have. Visit our Business Continuity Consultancy services page for more.

ISO27031 -  ICT Continuity Best Practice

ISO27031 provides recommendations specifically for ICT (information communications technology) continuity management within the overall business continuity framework provided by ISO22301. ISO27031 makes ISO22301 relevant to information and communications technology. Of course, it can also be used on a standalone basis should an organisation wish to tackle ICT continuity management specifically.

Purchase the ISO27031 standard here.

Civil Contingencies and Business Continuity Planning

In the UK, the Civil Contingencies Act 2004 sets out specific requirements for public bodies. It imposes a series of duties on local bodies in England and Wales, Scotland and Northern Ireland (known as "Category 1 responders"). These include the duty to assess the risk of an emergency occurring and to maintain plans for the purposes of responding to an emergency.

The range of Category 1 responders is broader than the range of local bodies which were subject to earlier legislation which has now been repealed. It includes certain bodies with functions which relate to health, the Environment Agency and the Secretary of State responsible for maritime and coastal emergency responses. The Act also provides a mechanism to impose duties on other local bodies ("Category 2 responders") to co-operate with, and to provide information to, Category 1 responders in connection with their civil protection duties.

Business Continuity Planning

Business continuity planning (BCP) involves the processes and procedures for the development, testing and maintenance of plans which will enable an organisation to continue operating during and after a disaster.

Plans are typically designed to cope with incidents affecting all the organisation's business-critical processes and activities, from failure of a single server all the way through to complete loss of a major facility. BCP is a response to an enterprise-level risk assessment.

Disaster Recovery Planning

Disaster Recovery Planning (DRP) usually takes place within the BCP framework. Disaster Recovery Plans are usually relatively technical and will focus on the recovery of specific operations, functions, sites, services or applications. A single BCP might contain or refer to a number of Disaster Recovery Plans. Best Practice for Disaster Recovery is set out in ISO/IEC 24762.

The business continuity management lifecycle usually includes a series of steps:

  • risk assessment
  • business impact analysis (BIA)
  • plan development
  • documentation
  • testing
  • maintenance.

This process is described in Business Continuity Planning - a Step-by-Step Guide, as well as a selection of other authoritative books available from this site.

Efficient communication is essential for all business continuity and disaster recovery professionals working on a project together. Business Continuity and BS25999: A Combined Glossary provides a common vocabulary for business continuity, listing hundreds of terms and definitions directly sourced from highly authoritative sources, including the Disaster Recovery Institute, Business Continuity Institute, ISO27001, BS7799-3:2006, ISO20000 and many others.

Essential Business Continuity Resources

For Busy Executives

Best Practice Business Continuity Kit

Best Practice

ISO22301 Standard


+44 (0) 845 070 1750
live chat support software