4. Context

4.1 Understand your organization and its unique context.

4.2 Define the needs and expectations of your interested parties.

4.2.1 Clarify who your interested parties are and specify their requirements.

4.2.2 Consider legal and regulatory requirements when you set up your BCMS.

4.3 Figure out what your BCMS should apply to and clarify its scope.

4.3.1 Think about context, mission, and requirements when you define scope.

4.3.2 Think about what to include and exclude when you define your scope.

4.4 Establish a BCMS in accordance with the requirements of this document.

5. Leadership

5.1 Provide leadership by supporting business continuity management.

5.2 Provide leadership by implementing a business continuity policy.

5.2.1 Provide leadership by establishing a business continuity policy.

5.2.2 Provide leadership by communicating business continuity policy.

5.3 Provide leadership by assigning roles, responsibilities, and authorities.

6. Planning

6.1 Define actions to manage your BCMS risks and opportunities.

6.1.1 Determine risks and opportunities when planning BCMS.

6.1.2 Plan how to address your BCMS risks and opportunities.

6.2 Formulate BC objectives and develop plans to achieve them.

6.2.1 Establish BC objectives at relevant functions and levels.

6.2.2 Plan how to achieve your organization's BC objectives.

6.3 Control how BCMS changes are planned and implemented.

7. Support

7.1 Support your BCMS by providing the necessary resources.

7.2 Support your BCMS by ensuring that people are competent.

7.3 Support your BCMS by making people aware of their duties.

7.4 Support your BCMS by controlling your communications.

7.5 Support your BCMS by managing documented information.

7.5.1 Support BCMS by including necessary documented information.

7.5.2 Support BCMS by managing the use of documented information.

7.5.3 Support BCMS by controlling applicable documented information.

7.5.3.1 Control availability, suitability, confidentiality, and security.

7.5.3.2 Control distribution, storage, modification, and disposition.

8. Operations

8.1 Carry out process planning and establish controls.

8.2 Study disruptions and risks and set your priorities.

8.2.1 Establish processes to analyze impacts and assess risks.

8.2.2 Determine business continuity priorities and requirements.

8.2.3 Assess risks and determine which ones should be treated.

8.3 Develop business continuity strategies and solutions.

8.3.1 Consider risks and business continuity strategies.

8.3.2 Identify business continuity strategies and solutions.

8.3.3 Select business continuity strategies and solutions.

8.3.4 Determine resources needed to implement solutions.

8.3.5 Implement business continuity strategies and solutions.

8.4 Establish business continuity plans and procedures.

8.4.1 Develop a structure to manage operations during disruptions.

8.4.2 Develop a disruption response structure for your organization.

8.4.2.1 Create one or more business disruption response teams.

8.4.2.2 Define roles and responsibilities for disruption response teams.

8.4.2.3 Assign personnel who are capable of responding to disruptions.

8.4.2.4 Appoint capable people and document all response procedures.

8.4.3 Develop procedures to manage communications and warnings.

8.4.3.1 Communicate with interested parties when disruptions occur.

8.4.3.2 Issue warnings and support emergency response organizations.

8.4.4 Develop and maintain business continuity plans and procedures.

8.4.4.1 Plan how to respond to disruptions and how to restore operations.

8.4.4.2 Specify the steps needed to continue activities and manage impacts.

8.4.4.3 Define purpose, scope, objectives, roles, responsibilities, and actions.

8.4.5 Develop and document processes needed to normalize activities.

8.5 Test business continuity strategies and solutions.

8.6 Evaluate your business continuity capabilities.

9. Evaluation

9.1 Monitor, measure, analyze, and evaluate performance.

9.2 Utilize audits to assess conformance and effectiveness.

9.2.1 Carry out internal BCMS audits at planned intervals.

9.2.2 Establish your organization's BCMS audit programme.

9.3 Carry out management reviews at planned intervals.

9.3.1 Plan how to review the performance of your BCMS.

9.3.2 Review the performance of your organization's BCMS.

9.3.3 Summarize the performance of your organization's BCMS.

9.3.3.1 Generate outputs and identify improvement opportunities.

9.3.3.2 Document and share your results and take remedial action.

10. Improvement

10.1 Identify nonconformities and take corrective action.

10.1.1 Determine opportunities to improve and take action.

10.1.2 Take corrective action when nonconformities occur.

10.1.3 Document nonconformities and the actions taken.

10.2 Enhance suitability, adequacy, and effectiveness.