Business Continuity Plans and Procedures for ISO 22301
ISO 22301 Clause 8.4
This sub-clause requires the organisation to put in place a response structure, warning and communication procedures, business continuity plans and recovery procedures.
ISO 22301 Clause 8.4 - Business Continuity Plans and Procedures
Clause 8.4 is where the strategy from Clause 8.3 turns into the actual response. The clause has four sub-parts: a general requirement, a response structure, warning and communication procedures, and the BC plans themselves. It also covers recovery - the process of moving from the temporary measures used during disruption back to normal operation.
What ISO 22301 Clause 8.4 Requires
Under Clause 8.4.1, the organisation must implement and maintain a response structure that provides timely warning and communication to relevant interested parties. Plans and procedures must be specific in relation to immediate steps, flexible enough to respond to changing conditions, focused on the impact of incidents, effective at minimising impacts, and assign roles and responsibilities for tasks.
Under Clause 8.4.2, a structure of teams responsible for responding to disruption must be in place. Roles and responsibilities of each team and the relationships between them must be clear. Collectively the teams must be competent to assess disruption, decide on response, plan actions, set priorities, monitor effects, activate solutions and communicate. Each team must have personnel and alternates, documented procedures and the resources they need.
Under Clause 8.4.3, warning and communication procedures must be documented. They cover internal and external communication during disruption, receiving and responding to communications from interested parties (including national risk advisory systems), the availability of communication means, structured communication with emergency responders, media response and the recording of disruption details, actions taken and decisions made.
Under Clause 8.4.4, the business continuity plans themselves must be documented and maintained. Each plan must include purpose, scope and objectives, roles and responsibilities, actions to implement solutions, supporting information and activation criteria, internal and external interdependencies, resource requirements, reporting requirements and a stand-down process. Plans must be available at the time and place where they are required.
Under Clause 8.4.5, recovery procedures must be in place to restore and return business activities from the temporary measures adopted during disruption.
What a Business Continuity Plan Looks Like
A useful BC plan is short enough to read in an emergency. The opening pages typically set out the activation thresholds, the response team contact details and the immediate actions for the first hour. Subsequent sections cover scenario-specific response (loss of premises, loss of IT, loss of staff, loss of supplier, loss of utilities), communication arrangements, and the stand-down and recovery process. Long descriptive narrative is unhelpful in a plan; structured tables, flowcharts and contact lists are what gets used.
The plan is also a confidentiality consideration. It contains personal contact information for the response team and sometimes for key suppliers. It should be controlled accordingly - distributed only to those who need it, with mechanisms to update contacts when people leave, and with offline copies available in case the primary IT system is itself the thing that has failed.
The plan should match what the BIA and strategy say. Activation thresholds based on the impact criteria from the BIA, recovery time objectives from the BIA in the response actions, the strategies from 8.3 expressed as concrete steps. If the plan does not trace back to the analysis, it is just a document.
I look for plans that are clearly written, current and have been used or exercised. I check the response structure, the activation thresholds, the named individuals (and their alternates), the warning and communication procedures and the recovery process. A plan with no alternate for a critical role, no activation threshold, or no stand-down process will get a finding.
One thing that catches people out: the plan needs alternates. The most carefully written response role is no use if the named person is unavailable when the incident hits. Every key role in the plan should have a documented alternate, and the alternates should be aware they are alternates.
Practical Compliance Guidance
The F-Q94 Business Continuity Plan provides the structured template for the BC plan, including response structure, scenarios, warning and communication, and recovery procedures. The PP-1-05 Business Continuity Policy describes the overall response framework. Multiple plans may be needed where the organisation has multiple sites, departments or operations that cannot reasonably be covered by a single plan.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| F-Q94 Business Continuity Plan | The structured plan template covering response structure, activation criteria, scenario response, warning and communication, and recovery. |
| PP-1-05 Business Continuity Policy | The supporting policy procedure that describes the overall continuity framework and references the plan and registers. |
| P-17 Communications Policy | The communications policy that supports the warning and communication arrangements during disruption. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
