Professional Documents
Culture Documents
STANDARD
ISO
22301
First edition
2012-05-15
Reference number
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 2012
ISO 22301:2012(E)
ISO 2012
Tel. + 41 22 749 01 11
Web www.iso.org
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ii
ISO 22301:2012(E)
Contents
Foreword ............................................................................................................................................................................ iv
0 Introduction ..................................................................................................................................................................... v
0.1 General .......................................................................................................................................................................... v
0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v
0.3 Components of PDCA in this International Standard ...................................................................................... vi
1
Scope ...................................................................................................................................................................... 1
4
4.1
4.2
4.3
4.4
5
5.1
5.2
5.3
5.4
Leadership........................................................................................................................................................... 10
Leadership and commitment ......................................................................................................................... 10
Management commitment............................................................................................................................... 10
Policy .................................................................................................................................................................... 11
Organizational roles, responsibilities and authorities ............................................................................ 11
6
6.1
6.2
Planning ............................................................................................................................................................... 12
Actions to address risks and opportunities............................................................................................... 12
Business continuity objectives and plans to achieve them .................................................................. 12
7
7.1
7.2
7.3
7.4
7.5
Support................................................................................................................................................................. 12
Resources ........................................................................................................................................................... 12
Competence ........................................................................................................................................................ 13
Awareness ........................................................................................................................................................... 13
Communication .................................................................................................................................................. 13
Documented information................................................................................................................................. 14
8
8.1
8.2
8.3
8.4
8.5
Operation ............................................................................................................................................................. 15
Operational planning and control ................................................................................................................. 15
Business impact analysis and risk assessment ....................................................................................... 15
Business continuity strategy ......................................................................................................................... 16
Establish and implement business continuity procedures ................................................................... 17
Exercising and testing ..................................................................................................................................... 19
9
9.1
9.2
9.3
Performance evaluation................................................................................................................................... 19
Monitoring, measurement, analysis and evaluation ................................................................................ 19
Internal audit ....................................................................................................................................................... 20
Management review .......................................................................................................................................... 21
10
10.1
10.2
Improvement ....................................................................................................................................................... 22
Nonconformity and corrective action .......................................................................................................... 22
Continual improvement ................................................................................................................................... 23
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
Bibliography ..................................................................................................................................................................... 24
iii
ISO 22301:2012(E)
Foreword
Societal security.
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
iv
ISO 22301:2012(E)
0 Introduction
0.1 General
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
management systems
management systems
Quality
Environmental management systems
Information security
Information technology Service management
ISO 22301:2012(E)
Establish
(Plan)
Interested
parties
Interested
parties
Maintain and
improve
(Act)
Requirements
for business
continuity
Implement
and operate
(Do)
Monitor and
review
(Check)
Managed
business
continuity
Do
procedures.
Check
Act
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
vi
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
vii
--`````,`,,`````````,`,```,
INTERNATIONAL STANDARD
ISO 22301:2012(E)
2 Normative references
-
3.1
activity
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
3.2
audit
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.3
business continuity
following disruptive incident
[SOURCE: ISO 22300]
3.4
business continuity management
3.5
business continuity management system
BCMS
3.6
business continuity plan
3.7
business continuity programme
3.8
business impact analysis
[SOURCE: ISO 22300]
3.9
competence
3.10
conformity
[SOURCE: ISO 22300]
ISO 22301:2012(E)
3.11
continual improvement
[SOURCE: ISO 22300]
3.12
correction
[SOURCE: ISO 22300]
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.13
corrective action
3.15
documented information
3.16
effectiveness
[SOURCE: ISO 22300]
3.17
event
ISO 22301:2012(E)
3.18
exercise
3.22
internal audit
3.23
invocation
3.24
management system
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
3.25
maximum acceptable outage
MAO
3.26
maximum tolerable period of disruption
MTPD
3.27
measurement
3.28
minimum business continuity objective
MBCO
3.29
monitoring
3.30
mutual aid agreement
[SOURCE: ISO 22300]
3.31
nonconformity
[SOURCE: ISO 22300]
3.32
objective
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
3.33
organization
3.34
outsource (verb)
3.35
performance
3.36
performance evaluation
3.37
personnel
3.38
policy
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.39
procedure
3.40
process
3.41
products and services
3.42
prioritized activities
ISO 22301:2012(E)
3.43
record
3.44
recovery point objective
RPO
3.45
recovery time objective
RTO
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
3.46
requirement
3.47
resources
3.48
risk
ISO 22301:2012(E)
3.49
risk appetite
3.50
risk assessment
3.51
risk management
3.52
testing
3.54
3.55
work environment
set of conditions under which work is performed
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-
ISO 22301:2012(E)
4.2
4.2.1
General
4.2.2
4.3
4.3.1
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
4.3.2
4.4
5 Leadership
Leadership and commitment
5.2
Management commitment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
5.1
10
5.3
Policy
5.4
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
11
ISO 22301:2012(E)
6 Planning
6.1
b)
6.2
how to
7 Support
7.1
12
Resources
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
7.2
Competence
7.3
Awareness
d)
7.4
Communication
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
13
ISO 22301:2012(E)
7.5
Documented information
7.5.1
General
7.5.2
7.5.3
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
14
ISO 22301:2012(E)
8 Operation
8.1
8.2
8.2.1
General
8.2.2
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
15
ISO 22301:2012(E)
8.2.3
Risk assessment
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3
8.3.1
8.3.2
16
ISO 22301:2012(E)
8.4
8.4.1
General
8.4.2
17
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.3.3
ISO 22301:2012(E)
8.4.4
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.3
18
ISO 22301:2012(E)
8.5
Recovery
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
8.4.5
9 Performance evaluation
9.1
9.1.1
19
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
9.1.2
9.2
20
Internal audit
ISO 22301:2012(E)
9.3
Management review
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
21
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
10 Improvement
10.1 Nonconformity and corrective action
22
ISO 22301:2012(E)
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
23
ISO 22301:2012(E)
Bibliography
Quality management systems Requirements
Environmental management systems Requirements with guidance for use
Guidelines for auditing management systems
Information Technology Service Management
Societal security Terminology
Societal security Guideline for incident preparedness and operational continuity
management
Information technology Security techniques Guidelines for Information and
communications technology disaster recovery services
Information Security Management Systems
Information technology Security techniques Guidelines for information and
communication technology readiness for business continuity
Risk Management Principles and Guidelines
Risk management Risk assessment techniques
Risk management Vocabulary
Business continuity management Code of practice
Security and continuity management systems Requirements and guidance for use
Standard on disaster/emergency management and business continuity programs
[17]
[20]
24
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---
ISO 22301:2012(E)
ICS 03.100.01
--`````,`,,`````````,`,```,,,-`-`,