EN ISO 22301:2014

SLOVENSKI STANDARD
01-oktober-2014
Družbena varnost - Sistem vodenja neprekinjenosti poslovanja - Zahteve (ISO
22301:2012)
Societal security - Business continuity management systems - Requirements (ISO
22301:2012)
Sicherheit und Schutz des Gemeinwesens - Aufrechterhaltung der Betriebsfähigkeit -
Anforderungen (ISO 22301:2012)
Sécurité sociétale - Systèmes de management de la continuité d'activité - Exigences
(ISO 22301:2012)
Ta slovenski standard je istoveten z: EN ISO 22301:2014
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO 22301
NORME EUROPÉENNE
EUROPÄISCHE NORM
July 2014
ICS 03.100.01
English Version
Societal security - Business continuity management systems -
Requirements (ISO 22301:2012)
Sécurité sociétale - Systèmes de management de la Sicherheit und Schutz des Gemeinwesens -
continuité d'activité - Exigences (ISO 22301:2012) Aufrechterhaltung der Betriebsfähigkeit - Anforderungen
(ISO 22301:2012)
This European Standard was approved by CEN on 17 July 2014.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 22301:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .3

Foreword
The text of ISO 22301:2012 has been prepared by Technical Committee ISO/TC 223 “Societal security” of the
International Organization for Standardization (ISO) and has been taken over as EN ISO 22301:2014 by
Technical Committee CEN/TC 391 “Societal and Citizen Security” the secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by January 2015, and conflicting national standards shall be withdrawn at
the latest by January 2015.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO 22301:2012 has been approved by CEN as EN ISO 22301:2014 without any modification.
INTERNATIONAL ISO
STANDARD 22301
First edition
2012-05-15
Corrected version
2012-06-15
Societal security — Business continuity
management systems — Requirements
Sécurité sociétale — Gestion de la continuité des affaires — Exigences
Reference number
ISO 22301:2012(E)
©
ISO 2012
ISO 22301:2012(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

ISO 22301:2012(E)
Contents Page
Foreword .iv
0 Introduction . v
0.1 General . v
0.2 The Plan-Do-Check-Act (PDCA) model. v
0.3 Components of PDCA in this International Standard . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 8
4.1 Understanding of the organization and its context. 8
4.2 Understanding the needs and expectations of interested parties . 9
4.3 Determining the scope of the business continuity management system . 9
4.4 Business continuity management system .10
5 Leadership .10
5.1 Leadership and commitment .10
5.2 Management commitment .10
5.3 Policy . 11
5.4 Organizational roles, responsibilities and authorities . 11
6 Planning .12
6.1 Actions to address risks and opportunities .12
6.2 Business continuity objectives and plans to achieve them .12
7 Support .12
7.1 Resources .12
7.2 Competence .13
7.3 Awareness .13
7.4 Communication .13
7.5 Documented information .14
8 Operation .15
8.1 Operational planning and control .15
8.2 Business impact analysis and risk assessment .15
8.3 Business continuity strategy .16
8.4 Establish and implement business continuity procedures .17
8.5 Exercising and testing .19
9 Performance evaluation .19
9.1 Monitoring, measurement, analysis and evaluation .19
9.2 Internal audit .20
9.3 Management review .21
10 Improvement .22
10.1 Nonconformity and corrective action .22
10.2 Continual improvement .23
Bibliography .24
ISO 22301:2012(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International
Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 22301 was prepared by Technical Committee ISO/TC 223, Societal security.
This corrected version of ISO 22301:2012 incorporates the following corrections:
— first list in 6.1 changed from a numbered to an unnumbered list;
— commas added at the end of list items in 7.5.3 and 8.3.2;
— bibliography items [19] and [20] separated, which were merged in the original;
— font size adjusted in several places.
iv © ISO 2012 – All rights reserved

ISO 22301:2012(E)
0 Introduction
0.1 General
This International Standard specifies requirements for setting up and managing an effective Business Continuity
Management System (BCMS).
A BCMS emphasizes the importance of
— understanding the organization’s needs and the necessity for establishing business continuity management
policy and objectives,
— implementing and operating controls and measures for managing an organization’s overall capability to
manage disruptive incidents,
— monitoring and reviewing the performance and effectiveness of the BCMS, and
— continual improvement based on objective measurement.
A BCMS, like any other management system, has the following key components:
a) a policy;
b) people with defined responsibilities;
c) management processes relating to
1) policy,
2) planning,
3) implementation and operation,
4) performance assessment,
5) management review, and
6) improvement;
d) documentation providing auditable evidence; and
e) any business continuity management processes relevant to the organization.
Business continuity contributes to a more resilient society. The wider community and the impact of the
organization’s environment on the organization and therefore other organizations may need to be involved in
the recovery process.
0.2 The Plan-Do-Check-Act (PDCA) model
This International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing,
implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an
organization’s BCMS.
This ensures a degree of consistency with other management systems standards, such as ISO 9001 Quality
management systems, ISO 14001, Environmental management systems, ISO/IEC 27001, Information security
management systems, ISO/IEC 20000-1, Information technology — Service management, and ISO 28000,
Specification for security management systems for the supply chain, thereby supporting consistent and
integrated implementation and operation with related management systems.
Figure 1 illustrates how a BCMS takes as inputs interested parties, requirements for continuity management
and, through the necessary actions and processes, produces continuity outcomes (i.e. managed business
continuity) that meet those requirements.
ISO 22301:2012(E)
Continual improvement of business continuity
management system (BCMS)
Establish
(Plan)
Interested
Interested
parties
parties
Maintain and Implement
improve and operate
(Act) (Do)
Requirements
Managed
for business
business
continuity
Monitor and
continuity
review
(Check)
Figure 1 — PDCA model applied to BCMS processes
Table 1 — Explanation of PDCA model
Plan Establish business continuity policy, objectives, targets, controls, processes and
(Establish) procedures relevant to improving business continuity in order to deliver results that align
with the organization’s overall policies and objectives.
Do Implement and operate the business continuity policy, controls, processes and
(Implement and operate) procedures.
Check Monitor and review performance against business continuity policy and objectives,
(Monitor and review) report the results to management for review, and determine and authorize actions for
remediation and improvement.
Act Maintain and improve the BCMS by taking corrective action, based on the results of
(Maintain and improve) management review and reappraising the scope of the BCMS and business continuity
policy and objectives.
0.3 Components of PDCA in this International Standard
In the Plan-Do-Check-Act model as shown in Table 1, Clause 4 through Clause 10 in this International Standard
cover the following components.
— Clause 4 is a component of Plan. It introduces requirements necessary to establish the context of the
BCMS as it applies to the organization, as well as needs, requirements, and scope.
— Clause 5 is a component of Plan. It summarizes the requirements specific to top management’s role in the
BCMS, and how leadership articulates its expectations to the organization via a policy statement.
— Clause 6 is a component of Plan. It describes requirements as it relates to establishing strategic objectives
and guiding principles for the BCMS as a whole. The content of Clause 6 differs from establishing risk
treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived
recovery objectives.
vi © ISO 2012 – All rights reserved

ISO 22301:2012(E)
NOTE The business impact analysis and risk assessment process requirements are detailed in Clause 8.
— Clause 7 is a component of Plan. It supports BCMS operations as they relate to establishing competence
and communication on a recurring/as-needed basis with interested parties, while documenting, controlling,
maintaining and retaining required documentation.
— Clause 8 is a component of Do. It defines business continuity requirements, determines how to address
them and develops the procedures to manage a disruptive incident.
— Clause 9 is a component of Check. It summarizes requirements necessary to measure business continuity
management performance, BCMS compliance with this International Standard and management’s
expectations, and seeks feedback from management regarding expectations.
— Clause 10 is a component of Act. It identifies and acts on BCMS non-conformance through corrective action.
INTERNATIONAL STANDARD ISO 22301:2012(E)
Societal security — Business continuity management
systems — Requirements
1 Scope
This International Standard for business continuity management specifies requirements to plan, establish,
implement, operate, monitor, review, maintain and continually improve a documented management system
to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive
incidents when they arise.
The requirements specified in this International Standard are generic and intended to be applicable to all
organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application
of these requirements depends on the organization’s operating environment and complexity.
It is not the intent of this International Standard to imply uniformity in the structure of a Business Continuity
Management System (BCMS), but for an organization to design a BCMS that is appropriate to its needs and
that meets its interested parties’ requirements. These needs are shaped by legal, regulatory, organizational
and industry requirements, the products and services, the processes employed, the size and structure of the
organization, and the requirements of its interested parties.
This International Standard is applicable to all types and sizes of organizations that wish to
a) establish, implement, maintain and improve a BCMS,
b) ensure conformity with stated business continuity policy,
c) demonstrate conformity to others,
d) seek certification/registration of its BCMS by an accredited third party certification body, or
e) make a self-determination and self-declaration of conformity with this International Standard.
This International Standard can be used to assess an organization’s ability to meet its own continuity needs
and obligations.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable
for its application. For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
There are no normative references.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
activity
process or set of processes undertaken by an organization (or on its behalf) that produces or supports one or
more products and services
EXAMPLE Such processes include accounts, call centre, IT, manufacture, distribution.
ISO 22301:2012(E)
3.2
audit
systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
NOTE 1 An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a
combined audit (combining two or more disciplines).
NOTE 2 “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.3
business continuity
capability of the organization to continue delivery of products or services at acceptable predefined levels
following disruptive incident
[SOURCE: ISO 22300]
3.4
business continuity management
holistic management process that identifies potential threats to an organization and the impacts to business
operations those threats, if realized, might cause, and which provides a framework for building organizational
resilience with the capability of an effective response that safeguards the interests of its key stakeholders,
reputation, brand and value-creating activities
3.5
business continuity management system
BCMS
part of the overall management system that establishes, implements, operates, monitors, reviews, maintains
and improves business continuity
NOTE The management system includes organizational structure, policies, planning activities, responsibilities,
procedures, processes and resources.
3.6
business continuity plan
documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined
level of operation following disruption
NOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions.
3.7
business continuity programme
ongoing management and governance process supported by top management and appropriately resourced to
implement and maintain business continuity management
3.8
business impact analysis
process of analyzing actitivites and the effect that a business disruption might have upon them
[SOURCE: ISO 22300]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
conformity
fulfilment of a requirement
[SOURCE: ISO 22300]
2 © ISO 2012 – All rights reserved

ISO 22301:2012(E)
3.11
continual improvement
recurring activity to enhance performance
[SOURCE: ISO 22300]
3.12
correction
action to eliminate a detected nonconformity
[SOURCE: ISO 22300]
3.13
corrective action
action to eliminate the cause of a nonconformity and to prevent recurrence
NOTE In the case of other undesirable outcomes, action is necessary to minimize or eliminate causes and to reduce
impact or prevent recurrence. Such actions fall outside the concept of “corrective action” in the sense of this definition.
[SOURCE: ISO 22300]
3.14
document
information and its supporting medium
NOTE 1 The medium can be paper, magnetic, electronic or optical computer disc, photograph or master sample, or a
combination thereof.
NOTE 2 A set of documents, for example specifications and records, is frequently called “documentation”.
3.15
documented information
information required to be controlled and maintained by an organization and the medium on which it is contained
NOTE 1 Documented information can be in any format and on any media from any source.
NOTE 2 Documented information can refer to
— the management system, including related processes;
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.16
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 22300]
3.17
event
occurrence or change of a particular set of circumstances
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
NOTE 4 An event without consequences may also be referred to as a “near miss”, “incident”, “near hit”, “close call”.
[SOURCE: ISO/IEC Guide 73]
ISO 22301:2012(E)
3.18
exercise
process to train for, assess, practice, and improve performance in an organization
NOTE 1 Exercises can be used for: validating policies, plans, procedures, training, equipment, and inter-organizational
agreements; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination
and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for
improvement, and controlled opportunity to practice improvisation.
NOTE 2 A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element
within the goal or objectives of the exercise being planned.
[SOURCE: ISO 22300]
3.19
incident
situation that might be, or could lead to, a disruption, loss, emergency or crisis
[SOURCE: ISO 22300]
3.20
infrastructure
system of facilities, equipment and services needed for the operation of an organization
3.21
interested party
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity
NOTE This can be an individual or group that has an interest in any decision or activity of an organization.
3.22
internal audit
audit conducted by, or on behalf of, the organization itself for management review and other internal purposes,
and which might form the basis for an organization’s self-declaration of conformity
NOTE In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from
responsibility for the activity being audited.
3.23
invocation
act of declaring that an organization’s business continuity arrangements need to be put into effect in order to
continue delivery of key products or services
3.24
management system
set of interrelated or interacting elements of an organization to establish policies and objectives, and processes
to achieve those objectives
NOTE 1 A management system can address a single discipline or several disciplines.
NOTE 2 The system elements include the organization’s structure, roles and responsibilities, planning, operation, etc.
NOTE 3 The scope of a management system can include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of the organization, or one or more functions across a group
of organizations.
4 © ISO 2012 – All rights reserved

ISO 22301:2012(E)
3.25
maximum acceptable outage
MAO
time it would take for adverse impacts, which might arise as a result of not providing a product/service or
performing an activity, to become unacceptable
NOTE See also maximum tolerable period of disruption.
3.26
maximum tolerable period of disruption
MTPD
time it would take for adverse impacts, which might arise as a result of not providing a product/service or
performing an activity, to become unacceptable
NOTE See also maximum acceptable outage.
3.27
measurement
process to determine a value
3.28
minimum business continuity objective
MBCO
minimum level of services and/or products that is acceptable to the organization to achieve its business
objectives during a disruption
3.29
monitoring
determining the status of a system, a process or an activity
NOTE To determine the status there may be a need to check, supervise or critically observe.
3.30
mutual aid agreement
pre-arranged understanding between two or more entities to render assistance to each other
[SOURCE: ISO 22300]
3.31
nonconformity
non-fulfilment of a requirement
[SOURCE: ISO 22300]
3.32
objective
result to be achieved
NOTE 1 An objective can be strategic, tactical or operational.
NOTE 2 Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals)
and can apply at different levels [such as strategic, organization-wide, project, product and process).
NOTE 3 An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion,
as a societal security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
NOTE 4 In the context of societal security management systems standards, societal security objectives are set by the
organization, consistent with the societal security policy, to achieve specific results.
ISO 22301:2012(E)
3.33
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives
NOTE 1 The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise,
authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
NOTE 2 For organizations with more than one operating unit, a single operating unit can be defined as an organization.
3.34
outsource (verb)
make an arrangement where an external organization performs part of an organization’s function or process
NOTE An external organization is outside the scope of the management system, although the outsourced function or
process is within the scope.
3.35
performance
measurable result
NOTE 1 Performance can relate either to quantitative or qualitative findings.
NOTE 2 Performance can relate to the management of activities, processes, products (including services), systems or
organizations.
3.36
performance evaluation
process of determining measurable results
3.37
personnel
people working for and under the control of the organization
NOTE The concept of personnel includes, but is not limited to employees, part-time staff, and agency staff.
3.38
policy
intentions and direction of an organization as formally expressed by its top management
3.39
procedure
specified way to carry out an activity or a process
3.40
process
set of interrelated or interacting activities which transforms inputs into outputs
3.41
products and services
beneficial outcomes provided by an organization to its customers, recipients and interested parties, e.g.
manufactured items, car insurance and community nursing
3.42
prioritized activities
activities to which priority must be given following an incident in order to mitigate impacts
NOTE Terms in common use to describe activities within this group include: critical, essential, vital, urgent and key.
[SOURCE: ISO 22300]
6 © ISO 2012 – All rights reserved

ISO 22301:2012(E)
3.43
record
statement of results achieved or evidence of activities performed
3.44
recovery point objective
RPO
point to which information used by an activity must be restored to enable the activity to operate on resumption
NOTE Can also be referred to as “maximum data loss”.
3.45
recovery time objective
RTO
period of time following an incident within which
— product or service must be resumed, or
— activity must be resumed, or
— resources must be recovered
NOTE For products, services and activities, the recovery time objective must be less than the time it would take for
the adverse impacts that would arise as a result of not providing a product/service or performing an activity to become
unacceptable.
3.46
requirement
need or expectation that is stated, generally implied or obligatory
NOTE 1 “Generally implied” means that it is a customary or common practice for the organization and interested
parties that the need or expectation under consideration is implied.
NOTE 2 A specified requirement is one that is stated, for example in documented information.
3.47
resources
all assets, people, skills, information, technology (including plant and equipment), premises, and supplies and
information (whether electronic or not) that an organization has to have available to use, when needed, in order
to operate and meet its objective
3.48
risk
effect of uncertainty on objectives
NOTE 1 An effect is a deviation from the expected — positive or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and
can apply at different levels (such as strategic, organization-wide, project, product and process). An objective can be
expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as a business continuity
objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
NOTE 3 Risk is often characterized by reference to potential events (Guide 73, 3.5.1.3) and consequences (Guide 73,
3.6.1.3), or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated likelihood (Guide 73, 3.6.1.1) of occurrence.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
ISO 22301:2012(E)
NOTE 6 In the context of business continuity management system standards, business continuity objectives are set
by the organization, consistent with the business continuity policy, to achieve specific results. When applying the term risk
and components of risk management, this should be related to the objectives of the organization that include, but are not
limited to the business continuity objectives as specified in 6.2.
[SOURCE: ISO/IEC Guide 73]
3.49
risk appetite
amount and type of risk that an organization is willing to pursue or retain
3.50
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[SOURCE: ISO Guide 73]
3.51
risk management
coordinated activities to direct and control an organization with regard to risk
[SOURCE: ISO Guide 73]
3.52
testing
procedure for evaluation; a means of determining the presence, quality, or veracity of something
NOTE 1 Testing may be referred to a “trial”.
NOTE 2 Testing is often applied to supporting plans.
[SOURCE: ISO 22300]
3.53
top management
person or group of people who directs and controls an organization at the highest level
NOTE 1 Top management has the power to delegate authority and provide resources within the organization.
NOTE 2 If the scope of the management system covers only part of an organization then top management refers to
those who direct and control that part of the organization.
3.54
verification
confirmation, through the provision of evidence, that specified requirements have been fulfilled
3.55
work environment
set of conditions under which work is performed
NOTE Conditions include physical, social, psychological and environmental factors (such as temperature, recognition
schemes, ergonomics and atmospheric composition.
[SOURCE: ISO 22300]
4 Context of the organization
4.1 Understanding of the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its
ability to achieve the intended outcome(s) of its BCMS.
8 © ISO 2012 – All rights reserved

ISO 22301:2012(E)
These issues shall be taken into account when establishing, implementing and maintaining the organization’s BCMS.
The organization shall identify and document the following:
a) the organization’s activities, functions, services, products, partnerships, supply chains, relationships with
interested parties, and the potential impact related to a disruptive incident;
b) links between the business continuity policy and the organization’s objectives and other policies, including
its overall risk management strategy; and
c) the organization’s risk appetite.
In establishing the context, the organization shall
1) articulate its objectives, including those concerned with business continuity,
2) define the external and internal factors that create the uncertainty that gives rise to risk,
3) set risk criteria taking into account the risk appetite, and
4) define the purpose of the BCMS.
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
When establishing its BCMS, the organization shall determine
a) the interested parties that are relevant to the BCMS, and
b) the requirements of these interested parties (i.e. their needs and expectations whether stated, generally
implied or obligatory).
4.2.2 Legal and regulatory requirements
The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess
the applicable legal and regulatory requirements to which the organization subscribes related to the continuity
of its operations, products and services, as well as the interests of relevant interested parties.
The organization shall ensure that these applicable legal, regulatory and other requirements to which the
organization subscribes are taken into account in establishing, implementing and maintaining its BCMS.
The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory
and other requirements shall be communicated to affected employees and other interested parties.
4.3 Determining the scope of the business continuity management system
4.3.1 General
The organization shall determine the boundaries and applicability of the BCMS to establish its scope.
When determining this scope, the organization shall consider
— the external and internal issues referred to in 4.1, and
— the requirements referred to in 4.2.
The scope shall be available as documented information.
ISO 22301:2012(E)
4.3.2 Scope of the BCMS
The organization shall
a) establish the parts of the organization to be included in the BCMS,
b) establish BCMS requirements, considering the organization’s mission, goals, internal and external
obligations (including those related to interested parties), and legal and regulatory responsibilities,
c) identify products and services and all related activities within the scope of the BCMS,
d) take into account interested parties’ needs and interests, such as customers, investors, shareholders, the
supply chain, public and/or community input and needs, expectations and interests (as appropriate), and
e) define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the
organization.
When defining the scope, the organization shall document and explain exclusions; any such exclusions shall
not affect the organization’s ability and responsibility to provide continuity of business and operations that meet
the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal
or regulatory requirements.
4.4 Business continuity management system
The organization shall establish, implement, maintain and continually improve a BCMS, including the processes
needed and their interactions, in accordance with the requirements of this International Standard.
5 Leadership
5.1 Leadership and commitment
Persons in top management and other relevant management roles throughout the organization shall demonstrate
leadership with respect to the BCMS.
EXAMPLE This leadership and commitment can be shown by motivating and empowering persons to contribute to
the effectiveness of the BCMS.
5.2 Management commitment
Top management shall demonstrate leadership and commitment with respect to the BCMS by
— ensuring that policies and objectives are established for the business continuity management system and
are compatible with the strategic direction of the organization,
— ensuring the integration of the business continuity management system requirements into the organization’s
business processes,
— ensuring that the resources needed for the business continuity management system are available,
— communicating the importance of effective business continuity management and conforming to the BCMS
requirements,
— ensuring that the BCMS achieves its intended outcome(s),
— directing and supporting persons to contribute to the effectiveness of the BCMS,
— promoting continual improvement, and
— supporting other relevant management roles to demonstrate their leadership and commitment as it applies
to their areas of responsibility.
10 © ISO 2012 – All rights reserved

ISO 22301:2012(E)
NOTE 1 Reference to “business” in this International Standard is intended to be interpreted broadly to mean those
activities that are core to the purposes of the organization’s existence.
Top management shall provide evidence of its commitment to the establishment, implementation, operation,
monitoring, review, maintenance, and improvement of the BCMS by
— establishing a business continuity policy,
— ensuring that BCMS objectives and plans are established,
— establishing roles, responsibilities, and competencies for business continuity management, and
— appointing one or more persons to be responsible for the BCMS with the appropriate authority and
competencies to be accountable for the implementation and maintenance of the BCMS.
NOTE 2 These persons can hold other responsibilities within the organization.
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and
communicated within the organization by
— defining the criteria for accepting risks and the acceptable levels of risk,
— actively engaging in exercising and testing,
— ensuring that internal audits of the BCMS are conducted,
— conducting management reviews of the BCMS, and
— demonstrating its commitment to continual improvement.
5.3 Policy
Top management
...