Business Continuity Policy for ISO 22301
ISO 22301 Clause 5.2
This sub-clause requires top management to establish a documented business continuity policy and communicate it within the organisation and to relevant interested parties.
ISO 22301 Clause 5.2 - Business Continuity Policy
Clause 5.2 is one of the few clauses where ISO 22301 is explicit that documented information is required. The business continuity policy is the public-facing statement of what top management is committing to and the framework within which everything else in the BCMS sits. It is short, signed by top management, and visible.
What ISO 22301 Clause 5.2 Requires
Under Clause 5.2.1, the policy must be appropriate to the purpose of the organisation, provide a framework for setting business continuity objectives, include a commitment to satisfy applicable requirements, and include a commitment to continual improvement of the BCMS.
Under Clause 5.2.2, the policy must be available as documented information, communicated within the organisation, and available to interested parties as appropriate. Communication to interested parties is a deliberate choice - the policy does not have to be plastered on the website, but it must be available to those who reasonably need it.
What a Business Continuity Policy Looks Like
A typical business continuity policy is a one or two-page statement signed by top management. It explains why the organisation is committed to business continuity, the scope it applies to, the framework for objectives, and the commitment to comply and improve. It does not contain the detail of how the BCMS works - that sits in the procedure, registers and plans. The policy statement and the supporting policy procedure are usually kept as separate documents.
For policies, the trap is making them too long. A policy that runs to ten pages becomes a procedure with a different name, and nobody reads it. Keep the policy short - what we are committing to, why, and the framework. Put the detail in the supporting documents.
I want to see a documented business continuity policy that is signed by top management and is current. I check that the date is recent enough to be credible, that the commitments are in there, and that the policy is communicated. If staff cannot tell me where to find it, that is a finding.
Practical Compliance Guidance
The P-34 Business Continuity Policy Statement provides a one-page top-level policy statement signed by top management. The PP-1-05 Business Continuity Policy is the supporting procedure that explains how the policy is implemented and references the registers, plans and forms that make the BCMS work in practice.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| P-34 Business Continuity Policy Statement | The top-level signed policy statement that meets the documented information requirement of Clause 5.2. |
| PP-1-05 Business Continuity Policy | The supporting policy procedure that describes how the policy is implemented across the BCMS. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
