Legal requirements, ISO standards, and best practice for business continuity management
Government organisations are required by law to protect their operations against disruption. The International Standards Organisation (ISO) sets standards for business continuity.
Your chief executive has overall responsibility for ensuring your organisation has arrangements in place for business continuity management.
Legal requirements for business continuity
Under the Civil Defence Emergency Management (CDEM) Act 2002, your organisation must have preparations in place to handle disruptions to your business. You must:
- undertake activities to ensure you can function to the fullest extent (even though this may be at a reduced level) during and after an emergency
- undertake business continuity planning activity to:
- ensure you can carry out your response and recovery roles under the CDEM Act
- mitigate risks to business disruption
- put plans and strategies in place for continuing critical business processes.
Two other sources of requirements for business continuity and disaster recovery processes you must follow are:
- New Zealand Information Security Manual (NZISM) — Business continuity and disaster recovery
- Civil Defence’s Guide to the National Plan 2015, Section 19, Planning (PDF, 67KB)
ISO standards for business continuity management
The standard relating to the requirements outlined in these webpages is ISO 22301:2012 Societal security - Business continuity management systems - Requirements
Supporting standards cover specific components of the business continuity management programme:
- ISO22300:2018 - Security and resilience -- Vocabulary
- ISO 22313:2012 BCMS — Guidance
- ISO 22316:2017 Organisational resilience — principles and attributes
- ISO 22317:2015 BCMS — Guidelines for business impact analysis
- ISO 22318:2015 BCMS — Guidelines for supply chain continuity
- ISO 22330:2018 BCMS — Guidelines for people aspects of business continuity
- ISO 22331 (under development) BCMS — Guidelines for business continuity strategy
- ISO 22398:2013 — Guidelines for exercises.
Good practice guidelines
The Business Continuity Institute publishes guidelines, available to members.
The ‘lite’ edition of the guidelines is freely available.
Page last modified: 4/05/2022