ISO 22301: Business Continuity Management System (BCMS)

Apply the pdca cycle to plan, do, check, and act within a bcms, performing risk assessment, bia, strategy development, testing, audits, and ongoing improvements for iso 22301.

Define the scope of the BCMS by identifying critical functions and processes and considering step two requirements. Prioritize resources to protect operations and set boundaries, governance, and evaluation criteria.

The lecture shows how top management establishes a tailored, documented business continuity policy under ISO 22301, guiding objectives and continual bcms improvement.

Apply asset-based risk assessment for ISO 22301: identify assets, vulnerabilities, threats; assign risk owners; evaluate controls; determine likelihood and impact; prioritize risks; set acceptance criteria; draft the risk assessment report.

Identify and prioritize assets for ISO 22301 risk assessments by assigning owners, limiting scope to mission critical assets, and classifying assets as critical, major, or minor by value and importance.

Identify risk owners for each risk, assigning accountability and authority to manage the risk, which may be separate from the asset owner, such as the head of the IT department.

Assess the likelihood of incidents by considering vulnerability type, threat capability and motivation, and control effectiveness, then use a risk acceptance matrix to prioritize four risks for business continuity.

Identify and assess disruptions' impact on critical functions under iso 22301, prioritize recovery, and develop continuity plans with rtos and rpos, then test and update.

Apply a quantitative impact assessment to monetize disruption durations, estimating losses in revenue, reputation, sla penalties, and legal costs to guide recovery planning and rto and rpo decisions.

Develop a business continuity strategy by identifying and selecting strategies aligned with objectives and requirements. Address before, during, and after disruption, ensure continuity, recovery, protection, risk reduction, and resources.

Identify and secure the people, information, infrastructure, equipment, ICT, transportation, finance, and external partners needed to implement and sustain business continuity solutions.

Evaluate recovery locations for business and it activities and justify choosing own infrastructure for cloud building utility due to cost effectiveness, control, and scalability.

Explore transportation options for relocating employees and goods during disruptions, including public transport, owned or private vehicles, special arrangements, and walking, with carpooling to improve reliability and efficiency.

Develop ISO 22301 aligned business continuity plans and procedures, detailing incident response, disaster recovery, and restoration steps, activation thresholds, roles, RTOs, and clear communication for disruptions.

Implement a business continuity plan (BCP) with a crisis management framework, appoint a crisis manager, and form IT operations, communications, and HR teams to enable activation, reporting, and stakeholder communication.

This lecture defines the disaster recovery plan within a business continuity strategy, outlining scope, RTO, activation criteria, minimum capacity, locations, resources, transport, roles, dependencies, communication, and a step-by-step checklist.

Restoration plans guide organizations to return operations to the pre-incident state by preserving damaged assets, assessing damage, evaluating options, and integrating with the business continuity plan.