Zetta Blog

business continuity standards

Business Continuity Standards and You

by Maggie Getova

Disaster recovery (DR) is the process of normalizing a business as fast as possible after a disaster. Business continuity management (BCM) is the process of keeping the business operating during the disaster. BCM should help you to protect your reputation with partners, customers and the press; preserve income, critical business activities and assets; accelerate business recovery following the disaster; and support compliance and insurance claims.

This is a tall order but can make the difference between revenue growth and a disastrous quarter. Even if your company does not experience a major disaster, business continuity planning can tighten up inefficiencies and risk points throughout the organization.

ISO 22301 is the framework for BCM certification. ISO 22301 standards enable organizations to methodically ensure business continuity throughout the entire company. (Auxiliary document ISO 22313 gives implementation suggestions, while ISO certification 27031 is specific to IT’s responsibilities for DR/BC.)

ISO 22301’s formal definition of BCM is a mite unwieldy: “A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”

In actual English? “How to methodically identify and tackle business-wide threats so they don’t destroy your business.” 

The detailed framework is meant to scale across any size of business, and any size of threat – ranging contained threats like a critical database corruption to major physical disasters.

Zetta offers fast & affordable solutions for distributed organizations.

Zetta Business Continuity Suite

Scenario #1: Singapore-Based Food Company

A major food company based in Singapore was concerned with threats to their business. Although Singapore is largely protected from natural disasters, flash floods and heavy smog are environmental hazards. Food-borne pathogens can be disastrous for any food company, and any interruption to the manufacturing process can threaten their reputation and operating cash flow. The company is also highly regulated and needed to protect themselves against compliance failures.

The company implemented ISO 22301 so their continuity team could swing into action at the first report of an emergency, and as a competitive advantage for their business customers.  Throughout the process, management buy-in was critical in order to carry out complex planning and procedures. Management was careful to communicate the importance of business continuity to all employee levels.

Scenario #2: U.S.-Based Telecommunications

This large telecommunications firm operates in 80 countries. Three primary drivers convinced them to seek ISO 22031 certification: 1) The company’s size and multi-national scope made it challenging to manage organization-wide business continuity, 2) its telecom systems and services required extreme reliability, and 3) customers preferred that the company have the certification.

Adopting ISO 22031 enabled them to reduce business continuity costs by centralizing risk assessment and mitigation across the company. The business continuity standards enabled them to proactively identify and mitigate risks to their global network. Their brand reputation has also improved due to the certification.

The Big Picture

Companies with certification teams in place can handle ISO 22031 in-house, while consultants are available for companies lacking their own teams. In both cases, companies need to invest significant resources into the business continuity management process. It’s certainly worth it: even if the Big Disaster never happens, BCM redresses multiple continuity gaps and inefficiencies. In general (quite general), here is the process:  

ISO 22031 Standards Process

Planning Stage


Get executive buy-in and don’t stop there.


Your executive council must be behind ISO 22031 certification for the long haul. Departmental or divisional champions are critical too. And remember that a CEO may issue a dictum, but lower-level employees know endless ways to ignore it. Get them involved.


Identify the right requirements.


Get compliant (or know how to get there) with laws/regulations and what your customers and stakeholders need from you. It won’t help to decide that your business continuity needs a brand new 30,000 square foot data center when the neighbors hate you.


Define priority objectives.

Strategize objectives by priority. If you’re a food company, what happens if your canned food is infected with E. coli? You need to proactively plan protection now. Your employee morale-building day – or the Board appreciation trip for that matter -- can wait.



Don’t trust your brain as a filing cabinet.


ISO 22301 documentation is a pain. Do it anyway. The last thing in the world that you need is a single employee or team who keep processes and procedures in their heads – and may or may not be available in the event of a disaster.



Take your risk assessment and do it.

Take your risk planning and solve them. Let’s take the food company as an example. Be prepared with recall procedures and media plans if a batch of food goes bad. Proactivity is even better: assess and mitigate risks in your manufacturing and food preparation processes before the worst happens.


Analyze business impacts should the worst happen.


Understand the business impacts if your main plant shuts down, or if a Katrina-style event floods your managed network equipment, or if the SCA announces its high-profile investigation of your company to the Wall Street Journal.



BCM needs money but shouldn’t break the bank.


BCM takes a lot of time and capital investment, but it shouldn’t be a worse cure than the disease. When assessing and strategizing risk points, remember that you don’t have to do everything at once, and the most expensive solution is by no means necessarily the best one.


Draft the business continuity plan.


As you assess your environment’s top risks and continuity gaps, then write incident response and recovery planning sections. Always strategize: tornadoes may represent a real threat to your Midwest data center. Moving to a different region may solve the tornado problem but be disruptive and expensive. Instead, business continuity providers like Zetta allow you to failover your systems in the cloud in the event of a disaster while you get your business critical data back.

Train and Maintain


Know how to implement the thing.


If you’re a trucking company, business continuity might include dynamically sharing optimal routes in case of freeway shutdowns. This takes the right technology and communication -- a hopeful section in the written plan won’t help if you never actually do anything about it.


Revisit the documents and review the incidents.


Even the best written plan will turn into a paperweight in a year or two. Reflect changes to people, processes and technology as soon as they happen. Review incidents as soon as possible and identify what worked, what didn’t, and what to do instead.



Test in the real world.


Commit to ongoing training and testing – live testing as much as possible. This goes not just for technology testing but for logistics, manufacturing, partner communication, reputation threats; anything that could affect the business’s health.


Evaluate and modify.


Don’t play a guessing game. Metrics are your best shot at objective evaluation. Set and keep them for every major business continuity process. Review them periodically: if metrics show that you are not meeting your objectives, then either solve the problem or scale back the objectives without introducing new risk.


Maggie Getova
Maggie G

Maggie is a content writer and editor at Zetta. She writes for the blog and manages web content. 

Talk to an Expert

Want to learn more?

Give our recovery experts a call.

Get in Touch