Establishing the context for the business continuity management system.

• Understanding the organization and its context - CO.1

  Determining external and internal issues that are relevant to the organization's purpose and that affect its ability to achieve the intended outcome(s); of its business continuity management system.

• Understanding the needs and expectations of interested parties - CO.2

  Identifying interested parties that are relevant to the business continuity management system and their relevant needs and expectations.

• Determining the scope of the business continuity management system - CO.3

  Defining the boundaries and applicability of the business continuity management system to establish what is included and excluded.

• Business continuity management system - CO.4

  Establishing; implementing; maintaining and continually improving a business continuity management system; including the processes needed and their interactions; in accordance with the requirements of this document.

Establishing leadership and commitment to the business continuity management system.

• Leadership and commitment - L.1

  Top management shall demonstrate leadership and commitment with respect to the business continuity management system.

• Policy - L.2

  Establishing a business continuity policy that is appropriate to the purpose and context of the organization; provides a framework for setting business continuity objectives; includes a commitment to satisfy applicable requirements; and includes a commitment to continual improvement of the business continuity management system.

• Organizational roles responsibilities and authorities - L.3

  Ensuring that the responsibilities and authorities for relevant roles are assigned; communicated and understood within the organization.

Planning to achieve the business continuity objectives.

• Actions to address risks and opportunities - P.1

  Determining the risks and opportunities that need to be addressed to give assurance that the business continuity management system can achieve its intended outcome(s); prevent; or reduce; undesired effects; and achieve continual improvement.

• Business continuity objectives and planning to achieve them - P.2

  Establishing business continuity objectives at relevant functions and levels; consistent with the business continuity policy; measurable (if practicable); monitored; communicated; updated as appropriate; and planning actions to achieve the business continuity objectives.

• Planning of changes to the business continuity management system - P.3

  Ensuring that changes to the business continuity management system are carried out in a planned manner.

Providing the resources needed to support the business continuity management system.

• Resources - S.1

  Determining and providing the resources needed for the establishment; implementation; maintenance and continual improvement of the business continuity management system.

• Competence - S.2

  Determining the necessary competence of person(s) doing work under the organization's control that affects its business continuity performance; ensuring that these persons are competent on the basis of appropriate education; training; or experience; determining the competence needs associated with the business continuity management system; acquiring competence; where needed; and evaluating the effectiveness of the actions taken to acquire competence.

• Awareness - S.3

  Ensuring that persons doing work under the organization's control are aware of the business continuity policy; relevant business continuity objectives; their contribution to the effectiveness of the business continuity management system; including the benefits of improved business continuity performance; and the implications of not conforming with the business continuity management system requirements.

• Communication - S.4

  Determining the internal and external communications relevant to the business continuity management system; including on what to communicate; when to communicate; with whom to communicate; how to communicate; and who is responsible for communicating.

• Documented information - S.5

  Maintaining documented information to support the operation of processes and retain documented information as evidence of conformity.

• Documented information - General - S.5.1

  The organization's business continuity management system shall include: documented information required by this document; and documented information determined by the organization as being necessary for the effectiveness of the business continuity management system.

• Documented information - Creating and updating - S.5.2

  When creating and updating documented information; the organization shall ensure appropriate: identification and description (e.g.; a title; date; author; or reference number); format (e.g.; language; software version; graphics); and media (e.g.; paper; electronic).

• Documented information - Control of documented information - S.5.3

  Documented information required by the business continuity management system and by this document shall be controlled to ensure it is available and suitable for use; where and when it is needed; it is adequately protected (e.g.; from loss of confidentiality; improper use; or loss of integrity); and that the control of documented information addresses the following activities as applicable: distribution; access; retrieval and use; storage and preservation; control of changes (e.g. version control); and retention and disposal.

Implementing the operational aspects of business continuity.

• Operational planning and control - O.1

  Planning; implementing and controlling the processes needed to meet requirements; and to implement the actions determined in 6.1.

• Business impact analysis and risk assessment - O.2

  Conducting a business impact analysis (BIA) to understand the potential consequences of disruptive incidents and a business continuity risk assessment to identify threats and vulnerabilities.

• Business impact analysis - O.2.1

  Determining the potential consequences of disruptive incidents on the organization's critical business processes and supporting activities.

• Business continuity risk assessment - O.2.2

  Identifying and analyzing the risks to the organization that could disrupt its critical business processes.

• Business continuity strategies and solutions - O.3

  Developing and implementing strategies and solutions to ensure the continuity of critical business processes in the event of a disruption.

• Business continuity plans and procedures - O.4

  Developing and documenting business continuity plans and procedures to guide the organization's response to disruptive incidents.

• Exercise and testing - O.5

  Conducting exercises and tests to validate the effectiveness of the business continuity plans and procedures.

• Maintenance monitoring and review - O.6

  Establishing processes for the ongoing maintenance; monitoring; and review of the business continuity plans and arrangements.

Evaluating the performance of the business continuity management system.

• Monitoring

  Determining what needs to be monitored and measured; the methods for monitoring; measurement; analysis and evaluation; when the monitoring and measuring shall be performed; when the results from monitoring and measurement shall be analysed and evaluated; and evaluating the business continuity performance and the effectiveness of the business continuity management system.

• Internal audit - PE.2

  Conducting internal audits at planned intervals to provide information on whether the business continuity management system: conforms to the organization's own requirements for its business continuity management system; to the requirements of this document; and is effectively implemented and maintained.

• Management review - PE.3

  Top management shall review the organization's business continuity management system; at planned intervals; to ensure its continuing suitability; adequacy and effectiveness.

Implementing actions for continual improvement of the business continuity management system.

• Nonconformity and corrective action - I.1

  When a nonconformity occurs; the organization shall: react to the nonconformity and; as applicable take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity; in order that it does not recur or occur elsewhere; by reviewing and analysing the nonconformity; determining the cause(s) of the nonconformity; and determining if similar nonconformities exist; implement any action needed; review the effectiveness of any corrective action taken; and make changes to the business continuity management system; if necessary.

• Continual improvement - I.2

  The organization shall continually improve the suitability; adequacy and effectiveness of the business continuity management system.