ISO/TS 22317 Societal security - Business continuity managment systems - Guidelines for business impact analysis
This Technical Specification for business continuity management systems provides guidelines (based on good international practice) for performing a business impact analysis (BIA), which is a requirement of ISO 22301 (clause 8.2). It provides guidance for establishing, implementing and maintaining a formal and documented process for business impact analysis. It is applicable to all organizations, regardless of type, location, size and nature of the organization.
This business impact analysis standard provides a framework for determining continuity and recovery priorities, objectives and targets.
The purpose of the business impact analysis process is to analyze the consequences of a disruptive incident on the organization. The outcome is a statement and justification of business continuity requirements.
Organizations implementing ISO 22317 will reach the following benefits:
- Endorsement or modification of the organization's BC programme scope;
- Identification of legal, regulatory, and contractual requirements (obligations) and their effect on business continuity requirements;
- Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability);
- Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources;
- Identification of, and establishment of, the relationships between products/services, processes, activities, and resources;
- Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing);
- Understanding of the dependencies on other activities, supply chains, partners, and other interested parties; and
- Determination of how up to date the information needs to be.
Brian Zawada (USA), the project leader responsible for writing ISO 22317, explains:
“This new technical specification summarizes the guidance necessary to identify appropriate business continuity requirements as part of a broader business continuity management system or program. Many organizations struggle with identifying when, and to what extent, activities and resources need to be available following a disruptive event. The ISO 22317 project team feels strongly that this new technical specification will help organizations identify business continuity requirements leading to the implementation of appropriate business continuity strategies.”
ISO/TS 22317:2015, Societal security - Business continuity management systems - Guidelines for business impact analysis (BIA), will within short be available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.