ISO/TS TECHNICAL SPECIFICATION 22331 First edition 2018-10 Security and resilience Business continuity management systems Guidelines for business continuity strategy Sécurité et resilience-Systemes de gestion de la poursuite des activités - Lignes directrices relatives a la stratégie de poursuite des activités Reference number ISO/TS22331:2018(E) so @IS02018 IS0/TS 22331:2018(E) COPYRIGHTPROTECTEDDOCUMENT @ IS0 2018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or Iso's member body in the country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +4122 749 0111 Fax: +41 22 749 09 47 Email: copyright@iso.org Website: www.iso.org Published in Switzerland ii @ IS0 2018 - All rights reserved IS0/TS 22331:2018(E) Contents Page Foreword ..iv Introduction. ..V 1 Scope. .1 2 Normative references ..1 3 Terms and definitions 4 Prerequisites ..1 4.1 General .1 4.2 Context of the organization .2 4.3 Interested parties .2 4.4 Business continuity roles, authorities and competencies .2 4.4.1 General 2 4.4.2 Business continuity strategy roles .2 4.4.3 Business continuity strategy authorities. .3 4.4.4 Business continuity strategy competencies .3 4.5 Top management commitment. .3 4.6 Business continuity strategy resources. .4 4.7 Business impact analysis and risk assessment ..4 5 Performing business continuity strategy determination and selection. .4 5.1 General .4 5.2 Principles. ..4 5.3 Planning and management .6 5.3.1 Overview ..6 5.3.2 Initial strategy design considerations 7 5.3.3 Strategy monitoring and continual improvement 5.4 Business continuity strategy gap analysis 7 5.5 Determining business continuity strategies .8 5.5.1 Overview.. 5.5.2 Business continuity strategy consolidation .8 5.5.3 Business continuity strategy categories .8 5.5.4 Business continuity strategy types for activities and resources 9 5.6 Selecting business continuity strategies. .17 5.6.1 General. .17 5.6.2 Strategies for protecting prioritized activities and resources 17 5.6.3 Strategies for resuming and recovering prioritized activities and resource 18 5.6.4 Approval of selected strategies... .21 6 Next steps after determining and selecting business continuity strategies .22 6.1 Implementing business continuity strategies ..22 6.2 Establishing and implementing business continuity procedures .22 7 Monitoring and reviewing business continuity strategies .22 7.1 Performance review. .22 7.2 Management review .22 Annex A (informative) Business continuity strategy within an Is0 22301 business continuitymanagementsystem .24 Bibliography .25 @ IS0 2018 - All rights reserved iii