ISO 22301 Business Continuity Definitions

The following definitions are based on ISO 22301 2012, section 3,
Terms and definitions. We've translated these definitions into
plain English in order to make them easier to understand.

3.1 Activity

An activity is a process or a set of processes that produces, or
supports the production of, one or more products and services.
Activities are carried out by organizations (or by others on its behalf).
Examples include manufacturing activities, distribution activities,
call centre activities, accounting activities, and IT activities.

3.2 Audit

An audit is an evidence gathering process. Evidence is used to
evaluate how well audit criteria are being met. Audits must be
objective, impartial, and independent, and the audit process
must be both systematic and documented.

Audits can be internal or external. Internal audits are referred to as
first-party audits while external audits can be either second or third
party audits. They can also be combined audits (when two or more
management systems of different disciplines are audited together
at the same time).

3.3 Business continuity (BC)

Business continuity is a corporate capability. This capability
exists whenever organizations can continue to deliver their
products and services at acceptable predefined levels after
disruptive incidents have occurred.

3.4 Business continuity management (BCM)

Business continuity management is a holistic management process
that is used to ensure that operations continue and that products
and services are delivered at predefined levels, that brands and
value-creating activities are protected, and that the reputations
and interests of key stakeholders are safeguarded whenever
disruptive incidents occur. This is achieved by identifying potential
threats, by analyzing possible impacts, and by taking steps to build
organizational resilience. (A holistic process is one that emphasizes
the importance of the whole process and the interdependence of
the parts that make up that process.)

3.5 Business continuity management system (BCMS)

A business continuity management system is part of an
organization's overall management system. A BCMS is a set
of interrelated elements that organizations use to establish,
implement, operate, monitor, review, maintain, and improve their
business continuity capabilities. These elements include people,
policies, plans, procedures, processes, structures, and resources.

All of these elements are used to ensure that operations continue
and that products and services are delivered at predefined levels,
that brands and value-creating activities are protected, and that the
reputations and interests of key stakeholders are safeguarded
whenever disruptive incidents occur.

3.6 Business continuity plan

Business continuity plans are made up of documented procedures.
Organizations use these procedures to respond to disruptive
incidents, to guide recovery efforts, to resume prioritized activities,
and to restore operations to acceptable predefined levels.

Business continuity plans usually identify the services, activities,
and resources needed to ensure that prioritized business activities
and functions can continue whenever disruptions occur.

3.7 Business continuity program (or programme)

A business continuity program is an ongoing management
and governance process. Organizations use business continuity
programs to implement and maintain their business continuity
capabilities. These programs are supported by top management
and are appropriately resourced.

3.8 Business impact analysis

A business impact analysis is a process that organizations use
to analyze the effect a business disruption could have on activities
that support the provision of products and services. The results of
this analysis are used to set business continuity and recovery
priorities, objectives, and targets.

3.9 Competence

Competence means being able to apply knowledge and skill
to achieve intended results. Being competent means having the
knowledge and skill that you need and knowing how to apply
it. Being competent means that you know how to do your job.

3.10 Conformity

Conformity is the "fulfillment of a requirement". To conform means
to meet or comply with requirements. There are many types of
requirements. There are management system requirements,
customer requirements, contractual requirements, regulatory
requirements, statutory requirements, and so on.

3.11 Continual improvement

Continual improvement is a set of recurring activities that an
organization carries out in order to enhance its ability to meet
requirements. Continual improvements can be achieved by
carrying out audits, self-assessments, management reviews,
and benchmarking projects. Continual improvements can also
be realized by collecting data, analyzing information, setting
objectives, and implementing corrective and preventive actions.

3.12 Correction

A correction is any action that is taken to eliminate a
nonconformity. However, corrections do not address
causes. When applied to products, corrections can include
reworking products, reprocessing them, regrading them,
assigning them to a different use, or simply destroying them.

3.13 Corrective action

Corrective actions are steps that are taken to eliminate the
causes of existing nonconformities in order to prevent recurrence.
The corrective action process tries to make sure that existing
nonconformities and potentially undesirable situations
don’t happen again.

3.14 Document

When information is placed on a medium it becomes a document.
In this context, the term medium usually refers to paper. But it can
also refer to electronic, magnetic, or optical disks. A set of
documents is often referred to as documentation.

3.15 Documented information

The term documented information refers to information that must
be controlled and maintained and its supporting medium. Documented
information can be in any format and on any medium and can come
from any source. Documented information includes information about
the management system and related processes. It also includes all the
information that organizations need to operate and all the information
that they use to document the results that they achieve (aka records).

3.16 Effectiveness

Effectiveness refers to the degree to which a planned effect is
achieved. Planned activities are effective if these activities are
realized. Similarly, planned results are effective if these results
are actually achieved.

3.17 Event

An event could be one occurrence, several occurrences, or
even a nonoccurrence (when something doesn’t happen that was
supposed to happen). It can also be a change in circumstances.
Events are sometimes referred to as incidents or accidents.
Events always have causes and usually have consequences.
Events without consequences are sometimes referred to as
near-misses, near-hits, or close-calls.

3.18 Exercise

An exercise is any process that an organization uses to assess,
practice, or improve performance. Exercises can be used to train
personnel, to practice improvisation, to enhance communication
and coordination, to identify resource gaps and performance
improvement opportunities, and to validate policies, plans,
procedures, and agreements.

3.19 Incident

An incident is a situation that might be a disruption, crisis, loss,
or emergency, or a situation that could lead to a disruption, crisis,
loss, or emergency.

3.20 Infrastructure

The term infrastructure refers to the entire system of
facilities, equipment, and services that an organization
needs in order to function.

3.21 Interested party (stakeholder)

An interested party is anyone who can affect, be affected
by, or believe that they are affected by a decision or activity.
An interested party is a person, group, or organization that
has an interest or a stake in a decision or activity.

3.22 Internal audit

Organizations use internal audits to audit themselves. Internal audits
can be used to support the management review process or to declare
that an organization complies with a set of audit criteria (this is often
called a self-declaration). They are carried out by the organization
itself or by others on its behalf.

An audit is an evidence gathering process. Audit evidence is used
to evaluate how well audit criteria are being met. Audits should be
objective, impartial, and independent. Independence can often be
achieved by making sure that people do not audit themselves.

3.23 Invocation

An invocation is an official declaration that an organization's
business continuity arrangements need to be formally activated
or put into effect. An official invocation is necessary whenever a
disruptive incident interferes with your organization's ability to
deliver key products and services.

3.24 Management system

A management system is a set of interrelated or interacting elements
that organizations use to direct and control how policies are applied
and objectives are achieved.

A process-based management system uses a process approach to
manage and control how its policies are applied and its objectives
are achieved. A process-based management system is a network
of many interrelated and interconnected processes (elements).

The process approach is a management strategy. When managers
use a process approach, it means that they manage the processes
that make up their organization, the interaction between these
processes, and the inputs and outputs that tie them together.

3.25 Maximum acceptable outage (MAO)

The maximum acceptable outage is the amount of time that
can elapse before an adverse impact becomes unacceptable
or intolerable. In this context, an adverse impact is caused by
failure to provide products or services or to perform an activity.

3.26 Maximum tolerable period of disruption (MTPD)

See 3.25 Maximum acceptable outage. According to ISO 22301,
the terms maximum acceptable outage and maximum tolerable
period of disruption mean the same thing and are defined using
exactly the same words.

3.27 Measurement

Measurement is a process that is carried out
in order to determine the value of a variable.

3.28 Minimum business continuity objective (MBCO)

A minimum business continuity objective is the lowest
acceptable level of product or service that can be tolerated
during a disruption. Below this minimum level, the organization
is no longer able to provide an acceptable level of product
or service or to achieve its business objectives.

3.29 Monitoring

To monitor means to determine the status of an activity, process,
or system. In order to ascertain status, you may need to supervise
and to continually check and critically observe the activity, process,
or system that is being monitored.

3.30 Mutual aid agreement

A mutual aid agreement is a promise or a pre-arranged understanding
between two or more entities to help each other whenever disruptive
incidents occur.

3.31 Nonconformity

Nonconformity is a nonfulfilment or failure to meet a requirement.
A requirement is a need, expectation, or obligation. It can be stated
or implied by an organization or its interested parties.

3.32 Objective

An objective is a result you wish to achieve. Objectives can be
strategic, tactical, or operational and can apply to an organization
as a whole or to a system, process, project, product, or service. A
variety of words can be used to express objectives. These include
words like target, aim, goal, purpose, or intended outcome.

3.33 Organization

According to ISO 22301, an organization can be a single person
or a group that achieves its objectives by using its own functions,
responsibilities, authorities, and relationships.

An organization can be a company, corporation, enterprise,
firm, partnership, charity, institution, or authority. It can be
either incorporated or unincorporated and can be either
privately or publicly owned.

It can also be a single operating unit that is part of a larger entity.
However, an operating unit must have its own functions and
administration in order to count as an organization.

3.34 Outsource

When an organization makes an arrangement with an outside
organization to perform part of a function or process, it is referred to
as outsourcing. To outsource means to ask an external organization
to perform part of a function or process usually done inhouse.

3.35 Performance

A performance is a measurable result that is achieved by an
activity, process, product, service, system, or organization.

This definition allows us to consider performance measurements.
It allows us to think about the measurement of organizational
performance, process performance, product performance, service
performance, systemic performance, and so on. Such measurements
can be either quantitative or qualitative.

3.36 Performance evaluation

A performance evaluation is a process that is used to determine
measurable results. A performance evaluation measures and
analyses the results that activities achieve. It also measures
and analyzes process, product, service, systemic, and
organizational performance results.

3.37 Personnel

Personnel are people working for and under the control of an
organization. They include employees, part-time and temporary
staff members, as well as agency workers.

3.38 Policy

A policy is a general commitment, direction, or intention and is formally
stated by top management. A business continuity policy statement
should express top management's commitment to the implementation
and improvement of its business continuity management system and
should allow managers to set business continuity objectives. It should
be appropriate and should support the organization's overall purpose.

3.39 Procedure

A procedure is a way of carrying out a process or activity.
Procedures may or may not be documented. ISO 22301 2012
sometimes asks you to document a procedure and sometimes
it leaves it up to you to decide.

3.40 Process

A process is a set of activities that are interrelated or that interact
with one another. Processes use resources to transform inputs
into outputs. Processes are interconnected because the output
from one process becomes the input for another process.

3.41 Products and services

In the context of this ISO 22301 standard, products and services
are beneficial outcomes that organizations produce and provide
to their customers, recipients, and interested parties.

3.42 Prioritized activities

Prioritized activities are those that must continue whenever a
disruptive incident occurs. They are usually activities that support
the provision of products and services. Prioritized activities must
continue in order to mitigate the impact that disruptions could have.
Prioritized activities are also commonly referred to as critical,
essential, vital, urgent, or key activities.

3.43 Records

Records provide evidence that activities have been performed or
results have been achieved. Records always document the past.

3.44 Recovery point objective (RPO)

The term recovery point objective refers to a data recovery objective.
It is the point to which information or data used by an activity must be
restored after a disruptive incident occurs. It is an information or data
recovery objective that must be achieved in order to allow an activity
to resume after a disruptive incident has occurred.

3.45 Recovery time objective (RTO)

The term recovery time objective refers to a time period. It is the
maximum amount of time allowed to resume an activity, recover
resources, or provide products and services after a disruptive
incident occurs. This target time period must be short enough
to ensure that adverse impacts do not become unacceptable.

3.46 Requirement

A requirement is a need, expectation, or obligation. It can be stated or
implied by an organization, its customers, or other interested parties.
A specified requirement is one that has been stated (in a document for
example), whereas an implied requirement is a need, expectation, or
obligation that is common practice or customary.

3.47 Resources

Resources include all the assets that organizations need in order
to be able to operate and achieve objectives. Resources include
people, skills, information, supplies, materials, tools, equipment,
buildings, and technology.

3.48 Risk

According to ISO Guide 73:2009, definition 1.1, risk is the “effect
of uncertainty on objectives” and an effect is a positive or negative
deviation from what is expected. The following two paragraphs will
explain what this means.

ISO Guide 73 recognizes that all of us operate in an uncertain world.
Whenever we try to achieve an objective, there’s always the chance
that things will not go according to plan. Every step has an element
of risk that needs to be managed and every outcome is uncertain.
Whenever we try to achieve an objective, we don't always get the
results we expect. Sometimes we get positive results and sometimes
we get negative results and occasionally we get both. Because of
this, ISO wants us to reduce uncertainty as much as possible.

Uncertainty (or lack of certainty) is a state or condition that involves
a deficiency of information and leads to inadequate or incomplete
knowledge or understanding. In the context of risk management,
uncertainty exists whenever your knowledge or understanding of
an event, consequence, or likelihood is inadequate or incomplete.

3.49 Risk appetite

In the context of this ISO 22301 standard, risk appetite refers to
the amount and type of risk that an organization is prepared to
accept, tolerate, or pursue.

3.50 Risk assessment

Risk assessment is a process that is, in turn, made up of three
processes: risk identification, risk analysis, and risk evaluation.

Risk identification is a process that is used to find, recognize, and
describe the risks that could affect the achievement of objectives.

Risk analysis is a process that is used to understand the nature,
sources, and causes of the risks that you have identified and to
estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.

Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a
specified level of risk is acceptable or tolerable.

3.51 Risk management

Risk management refers to a coordinated set of activities and
methods that is used to direct an organization and to control
the many risks that can affect its ability to achieve objectives.

3.52 Testing

According to ISO 22301, testing is an evaluation procedure that is
used to determine whether something is true, to establish whether
something is present, or to discover the quality of something.

3.53 Top management

The term top management normally refers to the people at
the top of an organization; it refers to the people who provide
resources and delegate authority and who coordinate, direct,
and control organizations. However, if the scope of a management
system covers only part of an organization, then the term top
management refers, instead, to the people who direct and
control that part of the organization.

3.54 Verification

Verification is a process that uses objective evidence
to confirm that specified requirements have been met.

3.55 Work environment

The term work environment refers to working conditions. It refers to
all of the conditions and factors that influence work. In general, these
include physical, social, psychological, and environmental conditions
and factors. Work environment includes lighting, temperature, and
noise factors, as well as the whole range of ergonomic influences.
It also includes things like supervisory practices as well as reward
and recognition programs. All of these things influence work.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514