Standard for BCM

Answer: For ISO the main standard for business continuity management is the ISO 22301, which defines the requirements for the business continuity management system. For complementary guidance and recommendations there are supporting standards such as ISO 22313 and ISO 27031 (Guidelines for information and communication technology readiness for business continuity)

Other organizations have their own standards that an organization should consider according to its own context, like National Fire Protection Association (NFPA) and its NFPA 1600

These articles will provide you further explanation about BCM standards:
- What is ISO 22301? https://advisera.com/27001academy/what-is-iso-22301/
- ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
- NF PA 1600 vs. ISO 22301 – Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/

2- The requirements state what SHOULD be done and not HOW to do it right?

Answer: Your assumption is partially correct. ISO 22301, like other ISO management standards, has mandatory requirements (associated to the words must/shall) and also optional requirements (associated to the words may/should), and these only define what must/should be done, and not how. This is like this way to allow each organization to freely define how to implement the requirements.

This material will also help you regarding BCM:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/