Roles, Responsibilities and Authorities for ISO 22301 Business Continuity
ISO 22301 Clause 5.3
This sub-clause requires top management to assign and communicate roles, responsibilities and authorities relevant to the BCMS.
ISO 22301 Clause 5.3 - Roles, Responsibilities and Authorities
Clause 5.3 closes Clause 5 by making sure the people with responsibility for the BCMS know who they are and what they are accountable for. The standard names two specific responsibilities that have to be assigned: making sure the BCMS conforms to the requirements of the standard, and reporting on the performance of the BCMS to top management. Most organisations also use this clause as the place to assign a Business Continuity Lead and define the response team structure that will run the BCMS day to day.
What ISO 22301 Clause 5.3 Requires
The clause requires top management to assign the responsibility and authority for ensuring the BCMS conforms to ISO 22301 and for reporting on its performance. The assignment of roles must be communicated within the organisation. Beyond those two named responsibilities, the standard does not prescribe a particular structure - that is left to the organisation.
In practice, most organisations identify a Business Continuity Lead who has overall responsibility for keeping the BCMS up to date, ensuring objectives are set and arrangements are tested, monitoring threats and reporting performance. Specific roles for incident response and recovery are typically defined in the business continuity plan, where they belong.
The Business Continuity Lead Role
A typical Business Continuity Lead is responsible for keeping the BC policy and plans current, ensuring continuity objectives are set and communicated, ensuring continuity arrangements are effective and tested, subscribing to relevant threat advisory systems, monitoring and reviewing changes that could affect continuity, and reporting BCMS performance to top management. This is the person an auditor will typically ask to see first when arriving on site.
The simplest way to comply is to write the BCMS responsibilities into the IMS manual, name the Business Continuity Lead, and use an organisation chart to show how the role sits in the wider structure. Specific incident response roles and authorities live in the business continuity plan, where they are at hand when needed.
I expect to see a named Business Continuity Lead with documented responsibilities. I will ask that person about the BCMS - if they do not know what they are accountable for, that is a problem. I also check that the responsibility for reporting BCMS performance to top management is explicitly assigned and that performance reporting is actually happening.
Practical Compliance Guidance
The IMS1 Integrated Management System Manual provides Section 2.2 for documenting roles and responsibilities, including the Business Continuity Lead. The F-IMS21 Business Continuity Register and the F-Q94 Business Continuity Plan record the specific responsibilities for incident response and recovery.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| IMS1 - ISO 22301 Manual | Section 2.2 of the manual records the Business Continuity Lead and the BCMS responsibilities. |
| F-IMS21 Business Continuity Register | The register that captures specific responsibilities relating to BCMS activities and arrangements. |
| F-Q94 Business Continuity Plan | The plan that names the response team members and their roles during a disruption. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
