Follow these standards for business continuity and resilience

ISO 223XX and other resilience standards

Standards for business continuity and resilience include the International Organization for Standardization's ISO 223XX series and its latest additions, plus other relevant standards and documents. While some of these standards are applicable globally, many countries have their own BCDR and resilience standards, regulations and practices. The standards referenced below may be most relevant for a U.S. audience.

Standards created by the ISO are the most widely used and have become firmly established in the U.S. Typically, ISO updates standards every 5 years. ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements is the global business continuity standard.

Updated by ISO in 2019, this standard provides additional information to plan and execute a business continuity management system. It can also serve as a tool to audit business continuity programs.

Below are the current standards in the ISO 223XX series that apply to business continuity and resilience.

When selecting a disaster recovery provider or planning crisis communications, organizations may also find ISO/IEC 27031:2011 and ISO/IEC 24762:2008 to be useful.

ISO/IEC 27031:2011 is titled Information technology -- Security techniques -- Guidelines for information and communications technology readiness for business continuity. This standard provides a concise description of a technology disaster recovery program.

ISO 24762:2008 is titled Information technology -- Security techniques -- Guidelines for information and communications technology disaster recovery services. It provides useful criteria to select a service provider.

The ISO standards in the table above explicitly address business continuity and resilience. However, there are other standards that address different areas of IT that can guide resilience and BCDR planning. The standards in the table below are worthwhile parts of a BCDR professional's technical library.

Resilience standards from across the pond

Many of the resilience standards in widespread use today originated from the U.K., in the form of publicly available specifications or British Standard documents. The British Standards Institution (BSI) continues to develop and publish standards and guidance documents that are essential reading for BCDR and resilience professionals.

The Business Continuity Institute provides a solid foundation to understand BCDR activities with its Good Practice Guidelines (GPG). Training courses based on the GPG are available from established educational firms.

In August 2020, the U.K. government published version 3.0 of a set of individual standards to guide resilience on the local level. While these standards are not intended to be international and were created specifically for the U.K., they cover relevant and important BCDR activities such as risk assessments and informing the public of a crisis.

Other resilience standards of note

The ISO TC-292 committee on security and resilience and the BSI continue to be among the leading voices in the evolution of standards. Standards and regulations addressing specific vertical markets, such as banking and healthcare, have also been updated by their respective organizations. The National Institute for Standards and Technology, National Fire Protection Association and ASIS International are the global leaders in the development of standards for business continuity, security and resilience.

In addition to these standards, ASIS International has also published an e-book, Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery. In 2019, the Federal Financial Institutions Examination Council updated its IT examination handbook, Business Continuity Management. The Disaster Recovery Journal continues to update its generally accepted practices for business continuity.