1 Introduction

  At present, due to the frequent occurrence of natural disasters and man-made accidents, the uncertainty and risks of business operations of enterprises have greatly increased, and strengthening the business continuity management of enterprises has become an inevitable choice to create the best enterprise emergency plan. In order to meet the needs of enterprises for a unified international standard for business continuity management, the ISO public safety technical committee ISO/TC223 has formulated the ISO 22301:2012 "Public Safety - Business Continuity Management System - Requirements" standard. This international standard has adopted the opinions and suggestions of global stakeholders, collaborators and other parties, and was recently released for implementation.

ISO 22301:2012 is committed to making public or private sector organizations more adaptable, and its management system framework can help companies formulate an integrated management process plan, enabling companies to identify and analyze potential disasters and help them determine what may happen. The impact of the impact of the threat to the operation of the enterprise, and provide an effective management mechanism to prevent or offset these threats, reduce the losses caused by disaster events to the enterprise.

  This article mainly introduces the background, purpose, significance and important clauses of ISO22301:2012, so as to provide help for relevant enterprises in my country to adopt the standard.

  2 Background

   In the 1980s and early 1990s, emergency planning and disaster recovery relied heavily on information technology to respond to business-affecting natural disasters and terrorism. Later, there was a growing recognition that contingency planning and disaster recovery should be a business-led process and encompass responding to all types of disasters. Hence, Business Continuity Management (BCM) becomes a discipline. As government departments and legislatures begin to recognize the role of business continuity in reducing socially disruptive incidents, they continue to work on having the right business continuity key personnel; likewise, industry recognizes that they should rely on each other, even when incidents occur , they also strive to ensure that key suppliers and partners can continue to provide key products and services. Therefore, there is a need for an accepted benchmark of BCM good practice and some national standards for this issue, which is supported by Australia, Singapore, the UK and the US. The UK has published the management system standard BS 25999, enabling organisations to obtain recognised certificates in the first place. In 2006, ISO held a seminar on "Emergency Response" in Florence, Italy, and the development of the ISO 22301 standard began. At the same time, many experts believe that its national standard is most suitable to be formulated as an international standard. This clearly didn't work, so ISO brought together all the leading experts to identify similarities between standards, and this spirit of harmonization led to what is known as ISO/PAS 22399:2007, Incident Response and Continuity Management "Guidelines for publication. There were challenges in developing ISO 22301, as there are many national documents on the subject, which made it difficult to harmonize. As a result, ISO technical committees adopted the recommendations of some national standards in the initial draft text, and gradually refined them into a new harmonized good practice document applicable throughout the world. The new ISO 22301 standard incorporates key recommendations from Australia, France, Germany, Japan, North Korea, Singapore, Sweden, Thailand, the United Kingdom and the United States, as well as many other stakeholders, so it can be said that the release of the ISO 22301 standard is a genuine results of international engagement and advice.

  3 Purpose and Meaning

  ISO22301:2012 "Public Safety - Business Continuity Management Systems - Requirements" will help all organizations, regardless of size, geography or activities undertaken, be better prepared and more confident when dealing with any type of risk.

   An accident can disrupt an organization's business at any time, and the adoption of the ISO 22301 standard will ensure that an organization can respond to an accident and ensure the continued operation of its business. Accidents occur of many types, from severe natural disasters and terrorist activities to technology-related and environmental incidents. However, many incidents, although small, can have serious impacts, which are closely related to business continuity management at all times.

   At present, business continuity management has attracted global attention, and organizations in both the public and private sectors must understand how to prepare for and respond to unexpected and disruptive incidents. The ISO 22301 standard provides a framework for the planning, establishment, implementation, operation, monitoring, review, maintenance and continuous improvement of a business continuity management system (BCMS). The standard will assist organizations in preventing, preparing, responding and recovering when a disruptive incident occurs.

   Organizations implementing ISO 22301 will be able to demonstrate to legislators, law enforcement, consumers and potential consumers, and other stakeholders that they meet the requirements of BCM Good Practice. At the same time, the new standard can also be used to conduct internal inspections in accordance with good practices within the organization and issue management reports through internal auditors.

ISO 22301 will assist organizations in designing a BCMS to appropriately meet their own requirements and those of their stakeholders in relation to: laws and regulations, organizational and industry factors, the organization's products and services, the size and structure of the organization, the organization's process and its stakeholders. In order for an organization to function better, the ISO 22301 standard requires that an organization should fully understand its requirements, not just a project or "a plan". BCM is a continuous management process that requires competent personnel to operate and, when required, provide appropriate support.

  ISO 22301 is the first standard to conform to the new ISO management system standard writing format. This will facilitate the understanding of the content of the standard and ensure consistency with other management systems such as ISO 9001 (Quality Management System), ISO 14001 (Environmental Management System) and ISO/IEC 27001 (Information Security Management System). ISO 22301 is the management system standard for BCM and is suitable for third-party certification and self-assessment of organizations of all sizes and types. These organizations will be able to obtain a globally recognized certificate of compliance with the requirements of the standard, thereby demonstrating to legislators, law enforcement, customers, potential customers and other stakeholders that they meet the BCM Good Practice requirements. The ISO 22301 standard also enables business continuity managers to demonstrate to top management that international standard requirements have been met. To help users better understand the standard, the new standard briefly introduces the key elements of BCM.

  ISO 22301 is the first standard to conform to the new ISO management system standard writing format. This will facilitate the understanding of the content of the standard and ensure consistency with other management systems such as ISO 9001 (Quality Management System), ISO 14001 (Environmental Management System) and ISO/IEC 27001 (Information Security Management System). ISO 22301 is the management system standard for BCM and is suitable for third-party certification and self-assessment of organizations of all sizes and types. These organizations will be able to obtain a globally recognized certificate of compliance with the requirements of the standard, thereby demonstrating to legislators, law enforcement, customers, potential customers and other stakeholders that they meet the BCM Good Practice requirements. The ISO 22301 standard also enables business continuity managers to demonstrate to top management that international standard requirements have been met. To help users better understand the standard, the new standard briefly introduces the key elements of BCM.

  4 Main content

  The ISO 22301 standard is divided into 10 main clauses. The first three clauses are scope, normative literature, terms and definitions. The other main clauses of the standard are described below.

  4.1 Section 4: Organization

   First, the organization should understand the internal and external requirements and draw clear boundaries on the scope of the management system. In particular, this requires the organization to understand the needs of stakeholders, such as legislative authorities, customers and employees. In particular, the organization must understand the applicable legal and regulatory requirements, which will enable the organization to determine the scope of the business continuity management system (BCMS).

  4.2 Section 5: Leadership

  ISO 22301 specifically addresses the need for qualified BCM leaders. This enables top management to ensure that appropriate resources are provided, policies are established, and personnel are appointed to implement and maintain the BCMS. 4.3 Subparagraph 6: Planning This subparagraph requires the organization to identify risks to BCMS implementation and establish clear objectives and criteria for measuring its effectiveness.

  4.4 Section 7: Support

   Since the implementation of BCMS requires resources, the seventh paragraph introduces the important concept of “capacity”. For business continuity to be successful, people with the appropriate knowledge, skills and experience must manage the BCMS and respond to incidents when they occur. It is also very important that all employees recognize their responsibilities when it comes to responding to accidents, and this clause covers everything in that regard. This clause also covers the needs of BCMS communication, such as: telling the customer organization that the appropriate BCM is in operation and ready to communicate in the event of an incident (when normal channels are interrupted).

  4.5 Section 8: Operation

   This subsection includes the main body of business continuity – expertise. Organizations must conduct business impact analysis to understand the impact of disruption to their business and how it has changed over time. Risk assessment seeks to identify the structural risks to the business that will have an impact on the development of a business continuity strategy. Measures to avoid or reduce the occurrence of accidents should be developed at the same time as the measures to be taken when the accident occurs. Since all accidents cannot be completely predicted and prevented, risk reduction and planning for contingencies are complementary to all accidents, commonly referred to as wishing for the best and preparing for the worst.

  ISO 22301 emphasizes the need for a well-defined incident response structure. This ensures a quick response when an accident occurs, and authorized persons can take necessary and effective measures. The new standard also emphasizes safety of life, the key point being that organizations must communicate with external parties who may be affected, for example, if an accident creates a risk of toxicity or explosion in surrounding public areas.

   The need for a business continuity plan is also addressed in Clause 8, and a concise and understandable document for users is more useful than a long and obscure document for auditors. Therefore, a small plan may be more desirable than a huge one. The last part of the eighth section deals with running and testing, which is a key part of BCM. The purpose of the test is to demonstrate that some elements of business continuity management are effective, for example: it is possible to test whether a generator is running after it is turned on. Operations can include testing, usually in a similar way, to simulate responding to an incident. This usually includes training elements and building awareness for dealing with unusually destructive incidents of a certain degree of difficulty, as well as figuring out whether procedures are operating as expected.

  4.6 Section 9: Evaluation

   As with any management system, evaluating performance as planned is critical. Therefore, ISO 22301 requires that organizations should evaluate themselves according to the appropriate performance method. Organizations must conduct internal audits, as well as management reviews of BCMS, and take corresponding actions based on the review results.

  4.7 Clause 10: Improvement

   Every management system cannot be perfect from the beginning, and the organization and its environment are constantly changing. Clause 10 proposes actions to be taken to subsequently improve the BCMS and ensures that corrective actions are proposed through audits, reviews, operations, etc.

  5 Conclusion

ISO 22301:2012 was created on the basis of the "Plan-Do-Check-Act" PDCA cycle model on which other management system standards are based. Its main features are: specifies the requirements for a business continuity management system (BCMS); Adoption and certification of implementation of the standard demonstrate that the business is prepared to deal with catastrophic events and should be able to maintain the status quo; the requirements specified are broadly applicable and can be applied to businesses of any type or size; The financial impact of crises and catastrophic events can be minimized.

   At present, the ISO 22301 standard has been recognized internationally. It emphasizes the establishment of goals, monitoring performance and indicators, and puts forward higher expectations for the management of enterprises and higher requirements for the formulation of business continuity plans. The promotion and application of BCMS requirements in accordance with ISO22301:2012 will enable enterprises to prove to stakeholders such as employees, customers, suppliers, and shareholders that the enterprise is ready to deal with crises and catastrophic events, otherwise, it may seriously affect the enterprise achievement of goals. If a business does not establish and operate a BCMS, it will be caught off guard when faced with a catastrophic event, which will cause serious consequences, such as: loss of customers, damage to reputation, loss of funds, and possibly even bankruptcy.

  Under the background of today's economic globalization, in the face of huge business and social changes, as well as the challenges of various disasters and accident factors, it is of great significance to understand the purpose and value of Business Continuity Management System (BCMS). Chinese enterprises should have a good understanding of the requirements and connotations of the ISO 22301:2012 standard, establish a BCMS management system, and take the implementation of BCMS as a practical and reliable strategy to protect the interests of corporate stakeholders, and at the same time treat crises and catastrophic events. The negative impact is minimized.