What It Is

ISO 22301:2019 is an international certification standard for Business Continuity Management Systems (BCMS). It provides requirements to protect against, reduce likelihood of, and recover from disruptions, applicable to all organization sizes and sectors. Built on a risk-based PDCA (Plan-Do-Check-Act) approach with Annex SL high-level structure.

Key Components

• 10 clauses (4-10 core): context, leadership, planning (BIA/risk assessment), support, operation (strategies/testing), evaluation, improvement.
• No prescriptive controls; flexible, tailored requirements.
• Core principles: resilience, continual improvement, integration with ISO 27001/31000.
• 3-year certification with annual surveillance audits.

Why Organizations Use It

Enhances resilience, minimizes downtime/financial losses, ensures regulatory compliance (e.g., NIS Directive), builds stakeholder trust/reputation, offers competitive edges like procurement advantages and lower insurance. Addresses cyber, natural disasters, supply chain risks.

Implementation Overview

Gap analysis, BIA, policy development, training, testing, audits. 60 days to 6 months typical; suits SMEs to multinationals globally. Two-stage certification process.

What It Is

UK GDPR (UK General Data Protection Regulation) is the UK's post-Brexit adaptation of the EU GDPR, a binding regulation enforced by the ICO. It governs personal data processing with a risk-based, accountability-focused approach for organisations handling UK data subjects' information.

Key Components

• Seven core principles: lawfulness, purpose limitation, minimisation, accuracy, storage limitation, security, accountability.
• Individual rights: access, rectification, erasure, portability, objection.
• Controller/processor obligations: RoPAs, contracts, DPIAs, breach notifications.
• No certification; compliance via demonstrable governance and ICO enforcement (fines to 4% turnover).

Why Organizations Use It

• Mandatory for legal compliance, avoiding £17.5M+ fines.
• Enhances risk management, trust, operational efficiency.
• Builds stakeholder confidence, enables cross-border operations.

Implementation Overview

Phased: governance, data mapping (RoPA), policies, DPIAs, training, audits. Applies to all sizes processing UK data; ongoing, no formal certification but ICO audits possible. (178 words)