ISO 22301 2019 Business Continuity Definitions

The following terms and definitions are based on ISO 22301 2019 and
ISO 22301 2012, section 3, Terms and definitions. We've translated these
definitions into plain English in order to make them easier to understand.

Activity

An activity is a set of tasks oriented towards
the achievement of a defined output.

Audit

An audit is an evidence gathering process. Evidence is used
to evaluate how well audit criteria are being met. Audits must be
objective, impartial, and independent, and the audit process must
be both systematic and documented. Audits can be either internal
or external. Internal audits are referred to as first-party audits while
external audits can be either second or third party. They can also be
combined audits (when two or more management of different
disciplines are audited together at the same time).

Audit evidence includes records, factual statements, and other
verifiable information that is related to the audit criteria being used. Criteria may be thought of as a reference point and include policies,
requirements, and other forms of documented information. Criteria are
compared against audit evidence to determine how well they are being
met. Audit evidence is used to determine how well policies are being
implemented and how well requirements are being followed.

Business continuity (BC)

Business continuity is a corporate capability. This capability exists
whenever organizations can continue to deliver their products and
services at an acceptable predefined capacity within an acceptable
time frame whenever business disruptions occur.

Business continuity management (BCM)

Business continuity management is a holistic management process
that is used to ensure that operations continue and that products
and services are delivered at predefined levels, that brands and
value-creating activities are protected, and that the reputations
and interests of key stakeholders are safeguarded whenever
disruptive incidents occur. This is achieved by identifying potential
threats, by analyzing possible impacts, and by taking steps to build
organizational resilience. (A holistic process is one that emphasizes
the importance of the whole process and the interdependence of
the parts that make up that process.)

Business continuity management system (BCMS)

A BCMS is a set of interrelated elements that organizations use to
establish, implement, operate, monitor, review, maintain, and improve
their business continuity capabilities. These elements include people,
policies, plans, procedures, processes, structures, and resources.

All of these elements are used to ensure that operations continue
and that products and services are delivered at predefined levels,
that brands and value-creating activities are protected, and that the
reputations and interests of key stakeholders are safeguarded
whenever business disruptions occur.

In most cases, a business continuity management system
is part of an organization's overall management system.

Business continuity plan

Business continuity plans are documents that organizations
use to achieve business continuity objectives, to respond to
disruptions, to resume operations, and to recover and
restore the delivery of products and services.

Business continuity program (or programme)

A business continuity program is an ongoing management
and governance process. Organizations use business continuity
programs to implement and maintain their business continuity
capabilities. These programs are supported by top management
and are appropriately resourced.

Business impact analysis

A business impact analysis is a process that organizations use
to analyze the effect a business disruption could have over time.
The results of such an analysis are used to set business continuity
and recovery priorities, objectives, and targets.

Competence

Competence means being able to apply knowledge and skill
to achieve intended results. Being competent means having the
knowledge and skill that you need and knowing how to apply
it. Being competent means that you know how to do your job.

Conformity

Conformity is the "fulfillment of a requirement". To conform means
to meet or comply with requirements. There are many types of
requirements. There are management system requirements,
customer requirements, contractual requirements, regulatory
requirements, statutory requirements, and so on.

Continual improvement

Continual improvement is a set of recurring activities that an
organization carries out in order to enhance its ability to meet
requirements. Continual improvements can be achieved by
carrying out audits, self-assessments, management reviews,
and benchmarking projects. Continual improvements can also
be realized by collecting data, analyzing information, setting
objectives, and implementing corrective and preventive actions.

Correction

A correction is any action that is taken to eliminate a
nonconformity. However, corrections do not address
causes. When applied to products, corrections can include
reworking products, reprocessing them, regrading them,
assigning them to a different use, or simply destroying them.

Corrective action

Corrective actions are steps taken to eliminate the causes nonconformities in order to prevent recurrence. The corrective
action process tries to make sure that existing nonconformities
and potentially undesirable situations don’t happen again.

Disruption

A disruption is an incident that causes an unplanned negative
deviation from the expected way in which products and services
are delivered. Incidents interfere with an organization's ability
to achieve product and service delivery objectives.

Documented information

The term documented information refers to information that must
be controlled and maintained. Whenever ISO 22301 2019 uses the term
documented information it implicitly expects you to control and maintain
that information and its supporting medium. Documented information can
be in any format and on any medium and can come from any source.

Documented information includes information about the management
system and related processes. It also includes all the information that
organizations need to operate and all the information that they use to
document the results that they achieve (aka records).

Effectiveness

Effectiveness refers to the degree to which a planned effect is
achieved. Planned activities are effective if these activities are
realized. Similarly, planned results are effective if these results
are actually achieved.

Impact

An impact is the outcome of a business disruption. Business
disruptions have impacts which interfere with the ability to
achieve product and service delivery objectives.

Exercise

An exercise is any process that an organization uses to assess,
practice, or improve performance. Exercises can be used to train
personnel, to practice improvisation, to enhance communication
and coordination, to identify resource gaps and performance
improvement opportunities, and to validate policies, plans,
procedures, and agreements.

Incident

An incident is an event that can be or could lead
to a disruption, crisis, loss, or emergency.

Infrastructure

The term infrastructure refers to the entire system of
facilities, equipment, and services that an organization
needs in order to function.

Interested party (stakeholder)

An interested party is anyone who can affect, be affected
by, or believe that they are affected by a decision or activity.
An interested party is a person, group, or organization that
has an interest or a stake in a decision or activity.

Internal audit

Organizations use internal audits to audit themselves. Internal audits
can be used to support the management review process or to declare
that an organization complies with a set of audit criteria (this is often
called a self-declaration). They are carried out by the organization
itself or by others on its behalf.

An audit is an evidence gathering process. Audit evidence is used
to evaluate how well audit criteria are being met. Audits should be
objective, impartial, and independent. Independence can often be
achieved by making sure that people do not audit themselves.

Invocation

An invocation is an official declaration that an organization's
business continuity arrangements need to be formally activated
or put into effect. An official invocation is necessary whenever a
disruptive incident interferes with your organization's ability to
deliver key products and services.

Management system

A management system is a set of interrelated or interacting elements
that organizations use to direct and control how policies are applied
and objectives are achieved.

A process-based management system uses a process approach to
manage and control how its policies are applied and its objectives
are achieved. A process-based management system is a network
of many interrelated and interconnected processes (elements).

The process approach is a management strategy. When managers
use a process approach, it means that they manage the processes
that make up their organization, the interaction between these
processes, and the inputs and outputs that tie them together.

Maximum acceptable outage (MAO)

The maximum acceptable outage is the amount of time that
can elapse before an adverse impact becomes unacceptable
or intolerable. In this context, an adverse impact is caused by
failure to provide products or services or to perform an activity.

Maximum tolerable period of disruption (MTPD)

See 3.25 Maximum acceptable outage. According to ISO 22301,
the terms maximum acceptable outage and maximum tolerable
period of disruption mean the same thing and are defined using
exactly the same words.

Measurement

Measurement is a process that is carried out
in order to determine the value of a variable.

Minimum business continuity objective (MBCO)

A minimum business continuity objective is the lowest
acceptable level of product or service that can be tolerated
during a disruption. Below this minimum level, the organization
is no longer able to provide an acceptable level of product
or service or to achieve its business objectives.

Monitoring

To monitor means to determine the status of an activity, process,
or system. In order to ascertain status, you may need to supervise
and to continually check and critically observe the activity, process,
or system that is being monitored.

Mutual aid agreement

A mutual aid agreement is a promise or a pre-arranged understanding
between two or more entities to help each other whenever disruptive
incidents occur.

Nonconformity

Nonconformity is a nonfulfilment or failure to meet a requirement.
A requirement is a need, expectation, or obligation. It can be stated
or implied by an organization or its interested parties.

Objective

An objective is a result you wish to achieve. Objectives can be
strategic, tactical, or operational and can apply to an organization
as a whole or to a system, process, project, product, or service. A
variety of words can be used to express objectives. These include
words like target, aim, goal, purpose, or intended outcome.

Organization

According to ISO 22301, an organization can be a single person
or a group that achieves its objectives by using its own functions,
responsibilities, authorities, and relationships.

An organization can be a company, corporation, enterprise,
firm, partnership, charity, institution, or authority. It can be
either incorporated or unincorporated and can be either
privately or publicly owned.

It can also be a single operating unit that is part of a larger entity.
However, an operating unit must have its own functions and
administration in order to count as an organization.

Outsource

When an organization makes an arrangement with an outside
organization to perform part of a function or process, it is referred to
as outsourcing. To outsource means to ask an external organization
to perform part of a function or process usually done inhouse.

Performance

A performance is a measurable result that is achieved by an
activity, process, product, service, system, or organization.

This definition allows us to consider performance measurements.
It allows us to think about the measurement of organizational
performance, process performance, product performance, service
performance, systemic performance, and so on. Such measurements
can be either quantitative or qualitative.

Performance evaluation

A performance evaluation is a process that is used to determine
measurable results. A performance evaluation measures and
analyses the results that activities achieve. It also measures
and analyzes process, product, service, systemic, and
organizational performance results.

Personnel

Personnel are people working for and under the control of an
organization. They include employees, part-time and temporary
staff members, as well as agency workers.

Policy

A policy is a general commitment, direction, or intention and is formally
stated by top management. A business continuity policy statement
should express top management's commitment to the implementation
and improvement of its business continuity management system and
should allow managers to set business continuity objectives. It should
be appropriate and should support the organization's overall purpose.

Procedure

A procedure is a way of carrying out a process or activity.
Procedures may or may not be documented. ISO 22301 2012
sometimes asks you to document a procedure and sometimes
it leaves it up to you to decide.

Process

A process is a set of activities that are interrelated or that interact
with one another. Processes use resources to transform inputs
into outputs. Processes are interconnected because the output
from one process becomes the input for another process.

Products and services

Products and services are outputs or outcomes that are
provided by organizations and delivered to interested parties.

Prioritized activities

Prioritized activities are those that must urgently continue
whenever a business disruption occurs. Prioritized activities
must continue in order to mitigate the unacceptable impact
that disruptions could have.

Records

Records provide evidence that activities have been performed or
results have been achieved. Records always document the past.

Recovery point objective (RPO)

The term recovery point objective refers to a data recovery objective.
It is the point to which information or data used by an activity must be
restored after a disruptive incident occurs. It is an information or data
recovery objective that must be achieved in order to allow an activity
to resume after a disruptive incident has occurred.

Recovery time objective (RTO)

The term recovery time objective refers to a time period. It is the
maximum amount of time allowed to resume an activity, recover
resources, or provide products and services after a disruptive
incident occurs. This target time period must be short enough
to ensure that adverse impacts do not become unacceptable.

Requirement

A requirement is a need, expectation, or obligation. It can be stated or
implied by an organization, its customers, or other interested parties.
A specified requirement is one that has been stated (in a document for
example), whereas an implied requirement is a need, expectation, or
obligation that is common practice or customary.

Resources

Resources include all the assets that organizations need in order
to be able to operate and achieve objectives. Resources include
people, skills, information, supplies, materials, tools, equipment,
buildings, and technology.

Risk

According to ISO Guide 73:2009, definition 1.1, risk is the “effect
of uncertainty on objectives” and an effect is a positive or negative
deviation from what is expected. The following two paragraphs will
explain what this means.

ISO Guide 73 recognizes that all of us operate in an uncertain world.
Whenever we try to achieve an objective, there’s always the chance
that things will not go according to plan. Every step has an element
of risk that needs to be managed and every outcome is uncertain.
Whenever we try to achieve an objective, we don't always get the
results we expect. Sometimes we get positive results and sometimes
we get negative results and occasionally we get both. Because of
this, ISO wants us to reduce uncertainty as much as possible.

Uncertainty (or lack of certainty) is a state or condition that involves
a deficiency of information and leads to inadequate or incomplete
knowledge or understanding. In the context of risk management,
uncertainty exists whenever your knowledge or understanding of
an event, consequence, or likelihood is inadequate or incomplete.

Risk appetite

In the context of this ISO 22301 standard, risk appetite refers to
the amount and type of risk that an organization is prepared to
accept, tolerate, or pursue.

Risk assessment

Risk assessment is a process that is, in turn, made up of three
processes: risk identification, risk analysis, and risk evaluation.

Risk identification is a process that is used to find, recognize, and
describe the risks that could affect the achievement of objectives.

Risk analysis is a process that is used to understand the nature,
sources, and causes of the risks that you have identified and to
estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.

Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a
specified level of risk is acceptable or tolerable.

Risk management

Risk management refers to a coordinated set of activities and
methods that is used to direct an organization and to control
the many risks that can affect its ability to achieve objectives.

Testing

According to ISO 22301, testing is an evaluation procedure that is
used to determine whether something is true, to establish whether
something is present, or to discover the quality of something.

Top management

The term top management normally refers to the people at
the top of an organization; it refers to the people who provide
resources and delegate authority and who coordinate, direct,
and control organizations. However, if the scope of a management
system covers only part of an organization, then the term top
management refers, instead, to the people who direct and
control that part of the organization.

Verification

Verification is a process that uses objective evidence
to confirm that specified requirements have been met.

Work environment

The term work environment refers to working conditions. It refers to
all of the conditions and factors that influence work. In general, these
include physical, social, psychological, and environmental conditions
and factors. Work environment includes lighting, temperature, and
noise factors, as well as the whole range of ergonomic influences.
It also includes things like supervisory practices as well as reward
and recognition programs. All of these things influence work.

Home Page	Our Library	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514