Till innehåll på sidan

ISO/TS 22317:2021 Security and resilience – Business continuity management systems – Guidelines for business impact analysis

ISO/TS 22317:2021 provides detailed guidelines for implementing and maintaining a business impact analysis (BIA) process consistent with the requirements in ISO 22301 Business continuity management systems. It includes examples and various methods to perform the BIA process and introduces justification for their use.

ISO 22317 was first published in September 2015 and in May 2019, the committee agreed to review the standard.

Uxía Fernández, project leader responsible for the revision of ISO/TS 22317, explains:

“ISO 22301 defines business continuity as the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.”

Taking this definition as a starting point, it becomes clear why the BIA is such an important element of business continuity management systems (BCMS) since it allows an organization to:

  • prioritize its products and services for recovery
  • define acceptable time frames for the recovery of those products and services
  • learn what predefined capacity means for its activities, providing information regarding the levels of operation that are to be achieved
  • understand how impacts change over time, allowing the organization to react appropriately during the different phases of a potential disruption

Thus, as the ultimate objective of BIA is to provide an input for the definition of business continuity strategies and solutions, the organization’s business continuity capabilities will depend substantially on the quality of its BIA process.

For this reason, we recommend dedicating sufficient time to conducting a BIA and updating it on a regular basis. Only in this way can an organization be sure that its continuity strategies and, ultimately, its plans are applicable to its current situation and will prove useful in case of a disruption, regardless of its causes.

This revision of the technical specification simplifies the BIA process, aligning it with the requirements of ISO 22301:2019 and introducing new annexes with examples.

Uxía Fernández, commented on publication:

"In my opinion, the BIA is the cornerstone of the business continuity management system, so it's worth Uxiaspending time on defining the approach to be followed. To do so, I recommend using ISO/TS 22317:2021as it describes a complete and straightforward BIA process, aligned with the requirements of ISO 22301:2019 and includes useful examples.

I would like to thank all the members of the project team for their involvement and effort throughout these months, sometimes attending meetings in very challenging time frames.

I hope the final document meets the expectations of the practitioners who use it!”

Fiona Raymond-Cox, an expert from the project team also commented:

“If there is any doubt how to perform a BIA, this will be the Technical Specification (TS) for you! It describes the 7 steps for implementing an effective process for planning and conducting a BIA, then reporting on the results. The Annex contains guidance on data collection methods, how that data may be used for other purposes – e.g. process improvements, identification of risk, etc., as well as three examples for performing a BIA. I recommend the TS as an invaluable tool for all business continuity practitioners”.

ISO/TS 22317:2021 Security and resilience – Business continuity management systems – Guidelines for business impact analysis, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.