ISO 22301/business continuity
I m currently setting up our QMS(ISO9001) toward ISO22301. Currently, I m focusing on Clause 8 due to BCMS requirement. I want to simplify this system as much as possible and yet we are still implementing risk management to our system. For risk assessment, we are using SWOT but if needed we will use the Risk matrix system. Using our risk management system, we can check if we need to go further if it hit on the high-risk scale.
1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.
2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.
3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.
ISO22301 does not prescribe a risk assessment approach (you have to define one on your own), but please note that SWOT is not sufficient, because for risk assessment you need to perform risk identification and risk analysis, and SWOT will help you only to identify risks (the risk matrix system will help you to analyze the risks, so you can have them measured).
Regarding ISO 27001, it is not required for ISO 22301 certification, but you can consider its security controls to support your BCMS implementation, as good practices.
For further information, see:
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand]
2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.
I'm assuming that by key cases you are referring to the specific disruptive scenario that will be handled by your BCMS.
Considering that, please note that the certification is based on the BCMS scope, which covers processes, locations, and or business units you consider relevant for business continuity. Relevant disruptive scenarios are identified after the BCMS scope definition.
So, you need to define the BCMS scope first, because without it the certification auditor will be unable to evaluate if the selected key cases are relevant or not.
Additionally, the BIA, risk assessment, strategy, planning has to be done for all the activities in the BCMS scope.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Please note that although the article is about ISO 27001, the same concept applies to ISO 22301
3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use. We are just a service provider (ISO 9001 and OHSAS certified) at the airport for all cargo shipment and we also based on ISAGO-IATA requirement.
Our BIA template contains the minimum information required by the standard, so to better help you we need more details to understand where potential difficulties may be.
Please note that included in the template you have access to a video tutorial that can help you to fill in the BIA, using real data as examples. This may help you to fulfill the BIA.
Comment as guest or Sign in
May 08, 2020