Essential Steps for Effective BCP Management to Achieve ISO22301 Compliance

Essential Steps for Effective BCP Management to Achieve ISO22301 Compliance
By Milind Kamat, March 22, 2023

Bringing your business back online after a crisis or natural disaster is known as business continuity (BC). The management of unexpected "lights out" events within your organization is the focus of BC. However, there is a limit, which is defined by the number of outages. You can primarily plan for four outage scenarios: vendor outage, site outage, people or skill outage, and technology outage.

The essential steps for a comprehensive business continuity plan are outlined below.

  1. Determining which activities are essential to the mission and require a continuity plan. To evaluate the necessity for BCP, one requirement is to figure out a big business setting. A unit of an organization is broken up into mission-critical teams and services like revenue-generating services (RGS) for businesses that make money, customer-facing services for non-profits, essential infrastructure services (EIS) like power, utilities, IT, and security, and delayed start services (DSS), which are services that can wait until an emergency occurs. You can prioritize recovery with this assessment. EIS recovered first, RGS recovered second, and DSS recovered last.
  2. A business term called "maximum tolerable period of disruption" (MTPOD) indicates how many hours you are willing to be out of business. The degree of tolerance varies from organization to service. For a bank, it may be insignificant, while for the service industry, it may be insignificant. Prescriptive, not indicative). Because it determines the speed of recovery strategies, it is critical to agree on this term.
  3. Recovery time objective (RTO) is a metric for planning for continuity. It responds to inquiries like "how quickly do we plan" to recover? This is by and large set at 75% of the MTPOD esteem.
  4. Determine the minimum service target following a disaster using minimum service levels (MSL). The question can be "what minimum services are to be guaranteed as per SLA agreed" for organizations whose service delivery is customer-facing. You may have two or more layers of recovery as an organization, starting with minimum recovery immediately and scaling up to a recovery level
  5. Continuity Planning: Plan for outages (building not available) rather than events like fire. You probably have event-wise plans already. Those plans are intended to forestall. Planning for interruptions is business continuity. They may generally be 4. Technology outages, people/skills outages, vendor outages, and site outages. They are able to be more, but you get the point. Each needs its own plan. "All preventive controls have failed – now how do we restore?" is the planning assumption.
  6. Continuity Strategies: There are two to three choices for each outage. Skills transfer, a suitable vendor, or an increase in manpower are examples of people outages. Skill insourcing, a different vendor, or increasing capacity from the same vendor are all options for vendor outage planning. Work from home, working from another location, and working from both locations are all examples of location outages. A technology outage can be warm, cold, or hot. Your selection of options is influenced by risk and budget.
  7. Strategies for Testing and Tests: Your continuity strategy is necessary for your testing. All options are available, from reviewing documents on the tabletop to turning off the main power completely. Recovery within RTO should be guaranteed by your test result. Your BCP is as good or bad as how well you do in tests.
  8. Monitoring: Make a dashboard for the purpose of monitoring. Both dynamic and static events should be included in items on the dashboard. A new customer's acquisition is one example of a dynamic event that could challenge all of your current business continuity metrics. Test results and whether they correspond to the intended RTO are examples of static events. You have a great continuity plan in place if you spend 30 minutes a month on the BCM dashboard.
    • Step 1: Conducting a Business Impact Analysis (BIA): The purpose of a BIA is to determine what your company values most and how long it can operate without it without losing money. If you're a bank, you could say that my customers won't wait outside the ATM if they don't get cash. Using the same logic, ask your customers how long they can wait. This analysis gives you two values: your maximum acceptable outage (MAO) and your revenue generating services (RGS). Both of these - will decide your business coherence plan (BCP). They will answer 'what to reestablish' and 'how quick'?
    • Step 2: Risk Assessment: This step looks at your readiness to guarantee availability. It identifies your single point of failure for each of the four capabilities: vendor outage, outage of technology, outage of people or skills, and outage of the site. It inquires whether you are prepared or require a strategy. A plan strategy is formed from the flaws that have been found.
    • Step 3: You can choose your business continuity strategy based on your budget and the issues you want to address. Additionally, this is a decision where an imminent failure is likely. There are options for each outage scenario. For instance, for innovation blackout - you have overt repetitiveness, cold site, warm site and hot site.
    • Step 4: The BC plans, which include a structure for incident management, reflect the list of plans against each scenario, who will do what, and how quickly we will recover, as well as continuity plans based on outages and incident-wise plans. Plans that are written down show your company's formal approach. Without documentation, there is no official "intent."
    • Step 5: BC Testing The following and most important step is to test the plans on the list above. BC is not possible without testing. Testing approaches start from Tabletop activities (most economical) to Turning off the mains (generally costly) - all choices are accessible relying on the certainty you wish to have. Additionally, determine whether your plans will guarantee the same time as the MAO specifies.
    • Step 6: Internal Audit: If you want ISO 22301, you should also conduct an internal audit to ensure compliance with all requirements and the MAO objectives. This will prevent the auditors from questioning your overall goals for business continuity.
    • Step 7: Training and communication are additional components that will guarantee your BC ROI. A more aware populace results in a more aware implementation which reduces the likelihood of failure.


For all new customers, kindly provide your enquiry as detailed as possible. Our team shall get back to you as soon as possible

Please Visit our Contact Us Page for more information