Questions about ISO 22301

Answer: Number of employees and number of departments are only two of set of relevant variables to help you define the ideal time of implementation (e.g., you also have to consider the experience of the implementation team, and organizations structure). To consider all these variables I suggest you to use our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

2. What are the things that I need to lookout for if a business unit (BU) wants to be certified for ISO 22301, rather than the organization?

Answer: The main issue is the definition of the implementation scope, i.e., the elements that are part of your Business Continuity Management System. With this information you will be able to focus on what is important and relevant to this business unit and how to handle the point where this BU interfaces with the rest of the organization. Other points are pretty much as if the whole organization is part of the scope:
- Getting top management support
- Elaborating documentation (the mandatory by the standard and those required by the business)
- Implementing, testing and reviewing plans
- Reviewing and Adjusting the BCMS

These articles and materials will provide you further information (the articles about scope focus on ISO 27001, but the concept is also applicable to ISO 22301):
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
- ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

3. While in a BU, there will be different departments dealing with different services. So how and what involvement would there be for other BUs or organization departments, example, facilities, legal, etc?

Answer: This answer is unique for each organization, because this depends on the organization's internal structure, culture, and other factors. To take this into account, ISO 22301 has a requirement demanding organizations to perform a Business Impact Analysis (BIA), which will help them identify exactly the factors that can influence and/or prevent the delivery of the services involved in the BCMS.

For further information about (BIA), please read:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

4. Are the different departments both BU and Organization level required to come out with its own BIA?

Answer: If process and services to be included in the business continuity process are quite different, then a better approach would be for each department to perform its own BIA, because this would be a less complex approach. On the other hand, if the process are similar, then performing a single BIA will be quicker.

The recommended material from the last answer will also be useful for this answer.