4. Context

4.1. Understand your organization and its unique context.   

•  Understand your organization and its purpose before
you establish, implement, and maintain your business
continuity management system (BCMS).

•  Consider the issues that could influence the outcomes
(or objectives) your BCMS is intended to achieve.

•  Consider how your business continuity policy
will be linked to the rest of your organization.

•  Understand your organization's context before
you establish, implement, and maintain your
business continuity management system (BCMS).

•  Clarify your organization's objectives.

•  Identify the particular factors that create your
organization's uncertainty and increase its risk. 

•  Establish your organization's risk criteria.

•  Define the purpose of your BCMS. 

4.2. Define the needs and expectations of your interested parties.

4.2.1. Clarify who interested parties are and specify their requirements.

•  Identify all of the parties that have an interest in your BCMS.

•  Identify their requirements including their needs and expectations. 

4.2.2. Consider legal and regulatory requirements when designing BCMS.

•  Establish a procedure to manage your legal and
regulatory business continuity requirements.

•  Document your organization's legal, regulatory,
and other business continuity requirements.

•  Consider all relevant legal, regulatory, and other
requirements when you establish your BCMS.

•  Discuss changes in legal, regulatory, and other
business continuity requirements with stakeholders.

4.3.  Figure out what your BCMS should apply to and clarify its scope.

4.3.1. Think about what your organization's BCMS should cover.

•  Consider what your organization's BCMS should cover and what
it should include when you think about what its scope should be.

•  Consider how disruptive incidents could impact your organization
when you think about what the scope of your BCMS should be.

•  Consider all of the factors that create your
organization's uncertainty and increase its risk.

•  Consider the parties that have an interest in your
BCMS when you think about what its scope should be.

•  Consider all relevant legal, regulatory, and other requirements
when you think about what the scope of your BCMS should be.

•  Consider all the issues that could influence what your BCMS
should achieve when you think about what its scope should be.

•  Consider what the boundaries of your BCMS should
be when you think about what its scope should be.

4.3.2. Establish your requirements and define the scope of BCMS.

•  Establish your organization's BCMS requirements
before you define the scope of your system.

•  Consider your organization's mission and goals
when you establish the scope of your BCMS.

•  Consider your organization's legal and regulatory
responsibilities when you establish your BCMS scope.

•  Consider your organization's internal and external
obligations when you establish the scope of your BCMS.

•  Consider the needs and expectations of your organization's
interested parties when you establish the scope of your BCMS.

•  Figure out what should be included in your BCMS.

•  Define the scope of your organization's BCMS.

4.4. Develop a BCMS that meets your needs and complies with this standard.

•  Establish a BCMS in accordance with the ISO 22301 2012 standard.

•  Establish the processes that your organization's BCMS needs.

•  Specify how your processes should interact.

5. Leadership

5.1. Provide leadership for your organization's BCMS.

•  Provide leadership and support for your organization's
business continuity management system (BCMS).

•  Make sure that your managers demonstrate
their commitment and support for the BCMS.

•  Make sure that your managers encourage
their employees to support the BCMS.

5.2. Show that you support your organization's BCMS.

•  Demonstrate a commitment to your BCMS.

•  Ensure that BCMS policies are established.

•  Ensure that BCMS objectives are established.

•  Ensure that BCMS achieves its intended outcomes.

•  Ensure that BCMS requirements become an
integral part of your organization's processes. 

•  Ensure that necessary BCMS resources
are available when they are needed. 

•  Communicate a commitment to your BCMS.

•  Make sure that personnel understand how
important business continuity management is. 

5.3. Establish a suitable BCMS policy for your organization.

•  Establish a business continuity policy.

•  Document your business continuity policy.

•  Implement your business continuity policy.

•  Review your business continuity policy.

5.4. Assign responsibility and authority for your BCMS.

•  Allocate responsibility and authority for carrying out business
continuity roles to the appropriate people within your organization.

6. Planning

6.1. Specify actions to manage your risks and address your opportunities.

•  Identify the risks and opportunities that could influence the
effectiveness of your organization's BCMS or disrupt its operation.

•  Figure out what you need to do to address the risks and opportunities that
could influence the effectiveness of your BCMS or disrupt its operation.

•  Define actions and prepare plans to address the risks and opportunities that
could influence the effectiveness of your BCMS or disrupt its operation.

6.2. Set business continuity objectives and develop plans to achieve them.

•  Establish your organization's business continuity objectives.

•  Establish plans to achieve your business continuity objectives.

7. Support

7.1. Support your BCMS by providing the necessary resources.

•  Identify the resources that your organization's BCMS needs.

•  Provide the resources that your organization's BCMS needs.

7.2. Support your BCMS by making sure that people are competent.

•  Identify the competence requirements of the people under your
organization's control who have an impact on its performance.

•  Acquire the necessary competence whenever current personnel
fail to meet your organization's competence requirements.

•  Evaluate the effectiveness of any actions taken to
acquire the competence your organization needs.

7.3. Support your BCMS by making people aware of their responsibilities.

•  Make your people aware of your organization's BCMS.

•  Make sure that the people who work for your organization
are aware of its business continuity management policy.

•  Make sure that the people who work for your organization understand
how they can help enhance the overall effectiveness of your BCMS.

•  Make sure that the people who work for your organization understand their
role and what they're expected to do whenever disruptive incidents occur.

•  Make sure that the people who work for your organization understand
what could happen if they fail to meet your BCMS requirements. 

7.4. Support your BCMS by establishing communication procedures.

•  Identify your organization's pre-incident BCMS communication needs.

•  Identify your organization's internal BCMS communication needs.

•  Identify your organization's external BCMS communication needs.

•  Establish pre-incident BCMS communication procedures.

7.5. Support your BCMS by managing all relevant information.

7.5.1. Provide the information and documents that your BCMS needs.

•  Document the information that your organization's BCMS needs.

•  Ensure that BCMS documents and records are unique to your
organization and compatible with what it does and how it does it.

•  Establish, retain, and maintain the documented
information required by this ISO 22301 standard.

•  Develop, retain, and maintain the documents and records that your
organization needs in order to ensure that its BCMS is effective.

7.5.2. Supervise the creation and modification of BCMS documents.

•  Supervise the creation and modification of your
organization's BCMS documents and records.

•  Make sure that your BCMS documents and
records are properly identified and described.

•  Make sure that your BCMS documents and
records are properly formatted and presented.

•  Make sure that your BCMS documents and
records are properly reviewed and approved.

7.5.3. Control your organization's BCMS information and documents.

•  Control your organization's BCMS documents and records.

•  Control how BCMS documents and records are created.

•  Control how BCMS documents and records are identified.

•  Control how BCMS documents and records are approved.

•  Control how BCMS documents and records are distributed.

•  Control how BCMS documents and records are stored.

•  Control how BCMS documents and records are retrieved.

•  Control how BCMS documents and records are accessed.

•  Control how BCMS documents and records are used.

•  Control how BCMS documents and records are protected.

•  Control how BCMS documents and records are changed.

•  Control how BCMS documents and records are preserved.  

8. Operation

8.1. Carry out process planning and establish controls.

•  Plan the development of your BCMS processes.

•  Develop your organization's BCMS processes.

•  Implement your organization's BCMS processes.

•  Control your organization's BCMS processes.

•  Maintain your organization's BCMS processes.

8.2. Study disruptions and risks and set your priorities.

8.2.1. Establish a process to analyze impacts and assess risks.

•  Establish a formal process that your organization
can use to analyze business impacts and assess risks.

•  Document the process that your organization uses
to analyze its business impacts and assess its risks.

•  Implement the process that your organization uses
to analyze its business impacts and assess its risks.

•  Maintain the process that your organization uses
to analyze its business impacts and assess its risks.

8.2.2. Evaluate and set business continuity and recovery priorities.

•  Establish a formal process that your organization can
use to evaluate and set business continuity and recovery
priorities, objectives, and targets.

•  Document your priority setting process.

•  Implement your priority setting process.

•  Maintain your priority setting process.

8.2.3. Assess risks and identify risk treatment options.

•  Establish a formal risk assessment process.

•  Document your risk assessment process.

•  Implement your risk assessment process.

•  Identify your business interruption risks.

•  Analyze your business interruption risks.

•  Evaluate your business interruption risks.

•  Communicate your business interruption risks.

•  Maintain your risk assessment process.

•  Identify your risk treatment options.

8.3. Develop a business continuity strategy to handle disruptions.

8.3.1. Use impact analysis and risk assessment to develop strategy.

•  Consider possible business continuity strategies.

•  Base your business continuity strategy on the
output of your business impact analysis (see 8.2.2).

•  Base your business continuity strategy on the
output of your risk assessment process (see 8.2.3).

•  Develop your business continuity strategy.

•  Make sure that your strategy explains how you plan to
handle your organization's prioritized activities and the
impact disruptions could have on these activities.

•  Make sure that your strategy explains how you plan to
manage the impact that disruptions could have on the
people and partners that your activities depend on.

8.3.2.  Identify the resources that you need to implement strategy.

•  Identify the resources that your organization needs
in order to implement its business continuity strategy.

8.3.3. Select and implement risk treatment measures to manage risks.

•  Consider treatments to manage your organization's risks.

•  Consider risk treatments that reduce the likelihood of disruption.

•  Consider risk treatments that shorten the period of disruption.

•  Consider risk treatments that limit the impact of disruption.

•  Select treatments to manage your organization's risks.

•  Implement your organization's risk treatment measures.

8.4. Establish and implement business continuity plans and procedures.

8.4.1. Establish disruption and continuity management procedures.

•  Develop procedures to manage disruptive incidents
and continue your organization's prioritized activities.

•  Document procedures to manage disruptive incidents
and continue your organization's prioritized activities.

•  Implement procedures to manage disruptive incidents
and continue your organization's prioritized activities.

•  Maintain procedures to manage disruptive incidents
and continue your organization's prioritized activities.

8.4.2. Establish an incident response structure and procedures.

•  Establish your incident response processes and procedures.

•  Establish your incident response management structure.

8.4.3. Establish disruption warning and communication procedures.

•  Establish your warning and communication procedures.

•  Establish procedures for detecting incidents when they occur.

•  Establish procedures for monitoring incidents as they occur.

•  Establish procedures for sharing information during a disruption.

•  Establish procedures for recording information about incidents.

•  Establish procedures for operating your organization's
warning and communications facilities during a disruption.

•  Establish procedures for ensuring that your means of
communication will be available during a disruption.

•  Implement your warning and communication procedures.

•  Maintain your warning and communication procedures.

8.4.4. Establish incident response and business continuity procedures.

•  Consider your organization's business continuity needs when
you design your incident response and business continuity
plans and procedures.

•  Make sure that your plans and procedures explain how
your organization intends to deal with disruptive incidents.

•  Make sure that your plans and procedures address the needs
and requirements of those who will be expected to use them.

•  Develop your organization's incident response
and business continuity plans and procedures.

•  Define incident response and business
continuity roles and responsibilities.

•  Design a process that you can use to activate
a response whenever disruptive incidents occur.

•  Explain how you plan to manage immediate
consequences when disruptive incidents occur.

•  Specify how and when you intend to communicate
with others whenever disruptive incidents occur.

•  Document your organization's incident response
and business continuity plans and procedures.

•  Describe how you plan to ensure that your prioritized
activities will continue or recover to predefined levels
within predetermined timeframes.

8.4.5. Establish suitable business recovery and restoration procedures.

•  Establish procedures to restore and return prioritized business
activities back to the way it was before the incident occurred.

•  Document your organization's business
recovery and restoration procedures.

8.5. Conduct exercises and test business continuity plans and procedures.

•  Establish business continuity management exercises and tests.

•  Develop exercises and tests to ensure that your organization's
business continuity plans and procedures are consistent with
its business continuity objectives.

•  Conduct your business continuity management exercises and tests.

•  Examine how well your organization handles disruptive scenarios.

•  Produce accurate and complete post-exercise reports.

•  Review your business continuity exercises and tests.

9. Evaluation

9.1. Monitor, measure, and evaluate your organization's BCMS.

9.1.1. Monitor and measure the performance of your BCMS.

•  Figure out how you're going to monitor and measure
the performance and effectiveness of your BCMS.

•  Develop procedures to monitor and measure the
performance and effectiveness of your BCMS.

•  Monitor and measure the performance and
effectiveness of your organization's BCMS.

•  Establish a record of your organization's BCMS
monitoring and measurement activities and results.

9.1.2. Evaluate your business continuity procedures and capabilities.

•  Establish a process to evaluate your organization's
business continuity procedures and capabilities.

•  Evaluate your organization's business
continuity procedures and capabilities.

•  Modify business continuity procedures and capabilities whenever
evaluations indicate that changes are necessary or desirable.

9.2. Set up an internal audit program and use it to evaluate your BCMS.

•  Plan the development of an internal BCMS audit program.

•  Make sure that your audit program is capable of determining
whether or not your BCMS conforms to requirements.

•  Make sure that your audit program is capable of determining
whether or not your BCMS has been implemented effectively.

•  Establish your organization's internal BCMS audit program.

•  Implement your organization's internal BCMS audit program.

•  Maintain your organization's internal BCMS audit program. 

9.3. Review the performance of your organization's BCMS.

•  Establish a BCMS review process.

•  Plan your BCMS review process.

•  Review the performance of your BCMS.

•  Generate management review outputs.

•  Communicate your management review results.

•  Retain a record of management review results.

10. Improvement

10.1.  Identify nonconformities and take corrective actions.

•  Identify nonconformities when they occur.

•  React to your organization's nonconformities.

•  Evaluate the need to eliminate causes.

•  Implement corrective actions to address causes.

•  Review the effectiveness of your corrective actions.

•  Change your BCMS if necessary or desirable.

10.2. Enhance the overall performance of your BCMS.

•  Continuously improve the performance of your BCMS.

•  Continuously improve the suitability of your BCMS.

•  Continuously improve the adequacy of your BCMS.

•  Continuously improve the effectiveness of your BCMS.