22301 implementation with scope of IT department only
Dejan, I have a client who would like to implement ISO 22301:2019 and certify but only within the IT department initially (they might want to extend the scope in the future). My question is: would they be able to do this if they only consider the products and services offered by the IT department to its internal customers within the rest of the company OR do they have to consider the products and services of that the company delivers to its external customers.
My question is about a process for conducting a BIA
Assign topic to the user
First is important to note that certifying only IT department is very uncommon for ISO 22301, because in general it does not represent any business core activities (i.e., it does not deliver products and/or services to business customers).
To go for this approach of certifying only the IT department, you need to take into account all the services it provides as an IT department - to both internal and external users.
So, in your BIA you need to consider all products and services provided to both internal and external users.
These articles can provide some tips about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
These materials will also help you regarding BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Comment as guest or Sign in
Feb 18, 2021