ISO 22301 Clause 4.2

This sub-clause requires the organisation to identify the interested parties relevant to the BCMS, their requirements, and the legal and regulatory obligations that apply to continuity of products and services.

ISO 22301 Clause 4.2 - Understanding the Needs and Expectations of Interested Parties

Clause 4.2 takes the outward-looking work begun at Clause 4.1 and sharpens it. Where context is broad, interested parties are specific - the people, organisations and authorities who have a stake in whether the business keeps running. The clause splits into two parts: identifying interested parties and their requirements, then identifying the legal and regulatory requirements that apply.

What ISO 22301 Clause 4.2 Requires

Under Clause 4.2.1, the organisation must determine the interested parties that are relevant to the BCMS and the requirements of those parties that are relevant. Interested parties for a BCMS typically include customers (especially those with contractual continuity expectations), employees, regulators, shareholders and owners, suppliers and partners, emergency services and local authorities, neighbours and the local community, and certification bodies.

Under Clause 4.2.2, the organisation must establish a process to identify, have access to, and assess legal and regulatory requirements relevant to the continuity of its products and services, activities and resources. Those requirements must be accounted for when implementing and maintaining the BCMS, and documented information must be retained and kept up to date.

Identifying Interested Parties for Continuity

The continuity perspective changes who counts as an interested party compared with quality or environmental management. Customers who depend on continuous service, suppliers whose own resilience affects the organisation, regulators who require notification of disruptive incidents, and the workforce who may be displaced or asked to work from alternative locations - all of these come into sharper focus when the BCMS is being built.

The requirements of those parties also need recording. A major customer might require restoration of service within a contractual recovery time. A regulator might require notification within a set period. Employees might require pay and welfare arrangements during disruption. These requirements feed into the business impact analysis at Clause 8.2 and the recovery time objectives that drive the rest of the BCMS.

Interested parties registers can become a tick-box exercise where every customer in the address book ends up listed and nothing useful comes out. For continuity, keep it sharp - who would actually notice if the business stopped trading for three days, and what would they expect to happen? That list is shorter and far more useful.

I look for evidence that customers reliant on the products and services - especially those tied into contracts or service-level agreements with recovery commitments - have been recognised in the interested parties register and that those commitments have been carried through into the BIA and the continuity plans. A contract that promises four-hour recovery is meaningless if the BC plan assumes a working day.

Practical Compliance Guidance

The F-IMS22 Interested Parties Register provides the structure for capturing parties, their interest, and their requirements. For ISO 22301, ensure the register includes all parties relevant to the BCMS, including customers with continuity-related contractual commitments and regulators that apply to disruptive incidents.

The documents below support the identification and management of interested parties and their requirements for an ISO 22301 BCMS.

alphaZ document	How to use it
ISO 22301 Toolkit	The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard.
F-IMS22 Interested Parties Register	The register for recording interested parties, their interest in the BCMS, and their relevant needs and requirements.
IMS1 - ISO 22301 Manual	The integrated management system manual where the interested parties analysis is summarised and linked to other parts of the BCMS.

Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.

Frequently Asked Questions

Who counts as an interested party for a BCMS?

Anyone whose interest could be affected by, or who could affect, the organisation's ability to keep operating. That typically includes customers, employees, suppliers, regulators, shareholders, the local community, emergency services and certification bodies.

Does ISO 22301 require a separate legal register for continuity?

No, but the legal and regulatory requirements relevant to continuity of products and services must be identified, accessed and kept up to date. Most organisations integrate this with their wider legal register rather than maintaining a separate one.

How are contractual continuity requirements handled?

Customers with contractual recovery time or service-level commitments should be captured in the interested parties register, with the specific requirements recorded. Those requirements then feed into the business impact analysis at Clause 8.2 to set recovery time objectives.

UK Legislation

Several pieces of UK legislation can be relevant to interested parties' requirements for business continuity, particularly for organisations in regulated sectors or providing essential services.

Further Resources