The PDCA Approach
Similarly to ISO 9001 and ISO 13485, ISO 22301 uses what is called the plan–do–check–act (PDCA) cycle, which uses this model to organize the standard:
• Plan. Parts 4, 5, 6, and 7 expect you to plan the establishment of your organization’s BCMS
• Do. Part 8 expects you to establish your BCMS
• Check. Part 9 expects you to evaluate your BCMS
• Act. Part 10 expects you to improve your BCMS
Brief Overview of Key Clauses of ISO 22301:2012 Business Continuity Standard
Following the new structure of ISO Guide 83, ISO 22301 is organized into seven main clauses (Table 35.1), and the key activities for each clause are summarized.
Clause 4: Context of the Organization
Understand your organization, its purpose, and objectives context while understanding the needs and expectations of interested parties in light of legal and regulatory requirements. Organizations should consider how disruptive incidents could impact the organization.
Clause 5: Leadership
Provide leadership and support for your organization and ensure that managers demonstrate their commitment and support and encourage employee involvement. Allocate responsibility and authority for carrying out business continuity roles to the appropriate people within your organization.
Clause 6: Planning
Identify and determine the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation. Define actions and prepare plans to address the risks and opportunities that could influence the effectiveness of your organization or disrupt its operation.
Clause 7: Support
Identify and provide the resources that your organization needs, including procedures and communication tools. Determine the competence requirements of the people under your organization’s control who have an impact on its performance, and ensure that people are aware of their responsibilities.
Clause 8: Operation
Plan and develop your BCMS processes by studying potential disruptions and analyzing business risks, and set your priorities. Establish a formal process that your organization can use to evaluate and set business continuity and recovery priorities, objectives, and targets; document, implement, and maintain your priority-setting process.
Clause 9: Performance Evaluation
Determine how you will monitor and measure the performance and effectiveness of your organization. Make sure that your audit program is capable of determining whether your system conforms to requirements.
Clause 10: Improvement
Identify, react to, and evaluate nonconformities when they occur. Implement corrective actions to address causes, and review the effectiveness of your corrective actions. Continuously improve the performance, suitability, adequacy, and effectiveness of your system.