Business Continuity Objectives and Planning to Achieve Them for ISO 22301
ISO 22301 Clause 6.2
This sub-clause requires the organisation to establish documented business continuity objectives that are measurable and consistent with the business continuity policy.
ISO 22301 Clause 6.2 - Business Continuity Objectives and Planning to Achieve Them
Clause 6.2 turns the policy commitments into measurable goals. The clause is in two parts: establishing the objectives themselves, and planning how to achieve them. Both have to be documented. For ISO 22301, objectives must take into account the minimum level of products and services that is acceptable to the organisation - the figure that emerges from the business impact analysis at Clause 8.2.
What ISO 22301 Clause 6.2 Requires
Under Clause 6.2.1, business continuity objectives must be consistent with the business continuity policy, measurable where practicable, take account of applicable requirements, be monitored, communicated and updated as appropriate. Documented information must be retained.
Under Clause 6.2.2, the planning to achieve the objectives must determine what will be done, what resources will be needed, who will be responsible, when it will be done, and how the results will be evaluated.
What Good Business Continuity Objectives Look Like
Generic objectives like "improve resilience" do not pass the measurability test. Useful BCMS objectives are tied to something concrete - a recovery time, a test frequency, a coverage percentage, a training rate. Examples might be "test the data centre failover annually with a documented exercise report" or "achieve 100% completion of business continuity awareness training for all staff in scope within 12 months of induction" or "maintain recovery time objectives for prioritised activities at no more than 24 hours".
The minimum acceptable level of products and services is a particular ISO 22301 hook. It is the floor beneath which the organisation cannot drop without unacceptable consequences. Once that floor has been identified through the BIA, the objectives can be set to ensure the BCMS keeps the organisation above it.
I usually recommend two or three concrete objectives at the BCMS level, plus any function-level objectives that fall out of the plans and tests. Putting them in the management review form, alongside the targets and the responsible owner, keeps everything in one place and makes the annual review straightforward.
I expect to see two or three documented business continuity objectives, with measures, owners, target dates and progress against them. I will check that the objectives are consistent with the policy and that they take account of the minimum acceptable level of products and services - that bit is specific to 22301 and easy to miss.
Practical Compliance Guidance
The F-Q11 Company Objectives form is used to record business continuity objectives alongside other business objectives, with the actions, resources, owners, dates and evaluation method captured against each objective. Objectives are formally reviewed at management review using the F-Q3 Management Review form.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| F-Q11 Company Objectives | The form for recording business continuity objectives, the actions to achieve them, the resources required, owners, target dates and the evaluation method. |
| F-Q3 Management Review | The management review template that includes objectives review as part of the management review inputs and outputs. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
