Operation for ISO 22301 Business Continuity
ISO 22301 Clause 8
This clause is the operational core of the BCMS - business impact analysis, risk assessment, continuity strategies, plans, exercises and the evaluation of capability.
ISO 22301 Clause 8 - Operation
Clause 8 is what makes ISO 22301 different from the other Annex SL standards. The other clauses describe a recognisable management system structure - context, leadership, planning, support, performance evaluation, improvement. Clause 8 is where business continuity actually lives. It runs from operational planning, through business impact analysis and risk assessment, into business continuity strategies and solutions, business continuity plans and procedures, exercise programmes and finally the evaluation of the documentation and capabilities the BCMS produces. This is where most of the work happens and where most of the audit attention falls.
Sub-clauses of ISO 22301 Clause 8
Clause 8.1 - Operational Planning and Control requires the organisation to plan, implement and control the processes needed to meet BCMS requirements and to implement the actions from Clause 6.1. The clause covers planned changes, unintended changes and outsourced processes. It is typically met through the IMS manual and the operating disciplines around the BCMS rather than through a single dedicated document.
Clause 8.2 - Business Impact Analysis and Risk Assessment requires systematic processes to analyse business impact and assess the risks of disruption. The BIA identifies prioritised activities, recovery time frames and minimum acceptable capacity. The risk assessment identifies and treats the risks that could disrupt those prioritised activities.
Clause 8.3 - Business Continuity Strategies and Solutions requires the organisation to identify, select and implement strategies and solutions for before, during and after disruption, including the resources needed to support them.
Clause 8.4 - Business Continuity Plans and Procedures requires the organisation to implement a response structure with named teams and roles, warning and communication procedures, business continuity plans, and recovery procedures.
Clause 8.5 - Exercise Programme requires the organisation to implement and maintain a programme of exercising and testing to validate the BCMS over time.
Clause 8.6 - Evaluation of Business Continuity Documentation and Capabilities requires the organisation to evaluate the suitability, adequacy and effectiveness of the BIA, risk assessment, strategies, solutions and plans, including evaluation of partners and suppliers.
