To ensure business continuity and resilience efforts are best in class, organizations rely on standards — both established and new. Standards help organizations identify and prioritize threats.

The majority of standards associated with business continuity BC), technology disaster recovery (DR) and organizational resilience (OR) standards have been developed by the TC 292 committee of the International Organization for Standardization.(ISO, www.iso.org). Other standards entities such as the U.S. National Institute for Standards and Technology (NIST, www.nist.gov), American National Standards Institute (ANSI, www.ansi.org), National Fire Protection Association (NFPA, www.nfpa.org), Federal Financial Institutions Examination Council (FFIEC, www.ffiec.gov) and ASIS International (www.asisonline.org) offer standards in BC/DR and resilience and are widely used by practitioners.

The purpose of this article is to provide an update on the ISO standards addressing BC, security and resilience. The ISO Technical Committee 292 (TC 292), Security and Resilience, has developed the majority of standards that BC/DR and resilience professionals should know.

Most resilience professionals know the ISO 223XX Series of standards which support the disciplines. The TC 292 Committee has developed several dozen standards in the 223XX Series. For the purposes of this article, only the most important standards for BC and resilience professionals will be listed, along with commentary regarding the standard’s content.  The entire list of TC 292 standards can be reviewed by clicking here.

The ISO 223XX Series

ISO 22300:2012 Societal Security, Terminology – a useful glossary of relevant terms.

ISO 22301:2019 Security and Resilience, Business continuity management systems – Requirements; this is the standard most often used by BC professionals; the 2019 revision expands some sections and provides added guidance.

ISO 22313:2020 Societal Security, Business continuity management systems – Guidance; this standard complements ISO 22301 by providing additional details on the requirements specified in 22301; it should be side-by-side with 22301.

ISO 22315:2014 Societal Security, Mass evacuation – Guidelines for planning; valuable when developing emergency plans that may involve evacuations

ISO 22316:2017 Security and Resilience, Organizational resilience – Principles and attributes; recommended reading for anyone new to resilience

ISO 22317:2015 Societal Security, Business continuity management systems – Guidelines for business impact analysis (BIA); this provides a comprehensive explanation on how to conduct a BIA

ISO 22318:2021 Security and Resilience, Business continuity management systems — Guidelines for supply chain continuity management; this provides important guidance on protecting supply chains

ISO 22319:2017 Security and Resilience, Community resilience — Guidelines for planning the involvement of spontaneous volunteers; important guidance on managing groups of volunteers who are available to assist in an emergency

ISO 22320:2011 Societal Security, Emergency management – Requirements for incident response; very useful for establishing incident response plans

ISO 22328:2020 Security and Resilience, Emergency management — General guidelines for the implementation of a community-based disaster early warning systems; this can apply to audio alarm systems, voice communications systems and other technologies

ISO 22329:2021 Security and Resilience, Emergency management — Guidelines for the use of social media in emergencies; provides important guidance on leveraging social media in an emergency

ISO 22330:2018 Security and Resilience, Business continuity management systems — Guidelines for people aspects of business continuity; guidance on the management of people resources, especially useful in BC and resilience plans

ISO 22331:2018 Security and Resilience, Business continuity management systems — Guidelines for business continuity strategy; important guidance on how to identify and develop BC strategies

ISO 22332:2021 Security and Resilience, Business continuity management systems — Guidelines for developing business continuity plans and procedures; this is a very useful complement to ISO 22301 and explains how to develop plans and procedures

ISO 22336 (Still in review) Security and Resilience, Organizational resilience — Guidelines for resilience policy and strategy; useful when developing policies and strategies for resilience activities, and to further understand resilience

ISO 22360 (Not yet approved) Security and Resilience, Crisis management — Concepts, principles and framework; important for crisis management planning

ISO 22361:2022 Security and Resilience, Crisis management — Guidelines; very important guidance on implementing crisis management activities

ISO 22397:2014 Societal Security, Public & private sector organizations – Guidelines for establishing partnering arrangements; useful when working with different emergency organizations

ISO 22398:2013 Societal Security, Exercises – Guidelines for exercises; useful guidance for planning, executing and reporting on BC/resilience exercises

How to obtain ISO standards

The ISO charges for its standards and when using the ISO web site the fees are in Swiss Francs (CHF). To obtain ISO standards in US dollars, consider using the ANSI web site, https://webstore.ansi.org/

# # # #