The following definitions are
based on ISO 22301 2012, section 3,
Terms and definitions. We've translated these
English in order to make them easier to
is a process or a set of processes that produces, or
supports the production
of, one or more products and services.
Activities are carried out by organizations (or by
others on its behalf).
Examples include manufacturing activities,
call centre activities, accounting activities, and
An audit is an
evidence gathering process. Evidence is
evaluate how well audit criteria are being met.
Audits must be
objective, impartial, and independent, and the audit
must be both systematic and documented.
Audits can be internal or
external. Internal audits are referred to as
first-party audits while external audits can be
either second or third
party audits. They can also be combined audits (when
two or more
management systems of different disciplines are
at the same time).
is a corporate capability. This capability
exists whenever organizations can continue to
products and services at acceptable predefined
disruptive incidents have occurred.
management is a holistic management process
that is used to ensure that operations
continue and that
and services are delivered
at predefined levels,
that brands and
are protected, and
that the reputations
and interests of key
stakeholders are safeguarded whenever
disruptive incidents occur. This is achieved by
threats, by analyzing possible impacts, and by taking
steps to build
organizational resilience. (A holistic
process is one that emphasizes
the importance of the whole process and the
the parts that make up that process.)
continuity management system is
part of an
organization's overall management system. A BCMS is a set
of interrelated elements
that organizations use to establish,
implement, operate, monitor, review, maintain, and
business continuity capabilities. These elements
policies, plans, procedures, processes,
structures, and resources.
All of these elements are
used to ensure that operations continue
and that products and services are delivered at predefined levels,
that brands and value-creating activities are
protected, and that the
reputations and interests of key stakeholders are
whenever disruptive incidents occur.
Business continuity plans
are made up of documented procedures.
Organizations use these procedures
to respond to disruptive
incidents, to guide recovery efforts, to
resume prioritized activities,
and to restore operations to acceptable predefined
Business continuity plans
usually identify the services, activities,
and resources needed to ensure that prioritized
and functions can continue whenever disruptions
continuity program is an ongoing
and governance process. Organizations use business
programs to implement and
maintain their business continuity
capabilities. These programs are supported by top
and are appropriately resourced.
A business impact
analysis is a process that organizations
to analyze the effect a business disruption could
have on activities
that support the provision of products and
services. The results of
this analysis are used to set business continuity
priorities, objectives, and targets.
means being able to apply knowledge
to achieve intended results. Being competent
means having the
knowledge and skill
that you need and knowing how to apply
it. Being competent means that you know
how to do your job.
Conformity is the
"fulfillment of a requirement". To conform
to meet or comply with requirements. There are
many types of
are management system requirements,
customer requirements, contractual requirements,
requirements, statutory requirements, and so on.
is a set of recurring activities that an
organization carries out in order to enhance its
ability to meet
improvements can be
carrying out audits,
self-assessments, management reviews,
and benchmarking projects. Continual improvements
be realized by collecting data, analyzing information,
objectives, and implementing corrective and
is any action that is taken to eliminate a
do not address
causes. When applied to products, corrections can
reworking products, reprocessing them,
assigning them to a different use, or simply
actions are steps
that are taken to eliminate
causes of existing nonconformities in order to
The corrective action
process tries to make sure that existing
nonconformities and potentially undesirable
don’t happen again.
When information is placed
on a medium it becomes a document.
In this context, the term medium usually
refers to paper. But it can
also refer to electronic,
magnetic, or optical disks. A set of
documents is often referred to as documentation.
The term documented information
refers to information
be controlled and maintained and its supporting
information can be in any
format and on any medium and can come
from any source. Documented information includes
the management system and related processes. It
also includes all the
information that organizations need to operate and
all the information
that they use to document the results that they
achieve (aka records).
refers to the degree to which a planned effect is
achieved. Planned activities are effective
if these activities are
realized. Similarly, planned results are effective
if these results
are actually achieved.
event could be one occurrence, several occurrences, or
even a nonoccurrence (when
something doesn’t happen that was
supposed to happen). It can also be a change in
Events are sometimes referred to as incidents or accidents.
Events always have causes and usually
Events without consequences are sometimes referred
near-misses, near-hits, or close-calls.
An exercise is
any process that an organization uses to assess,
practice, or improve performance. Exercises
can be used to train
personnel, to practice improvisation, to enhance
and coordination, to identify resource gaps and
improvement opportunities, and to validate
procedures, and agreements.
An incident is a
situation that might be a disruption, crisis,
or emergency, or a situation that could lead to a
loss, or emergency.
The term infrastructure
refers to the entire system of
facilities, equipment, and services that an
needs in order to function.
An interested party
is anyone who can affect, be affected
by, or believe that they are affected by a
decision or activity.
An interested party is a person, group,
or organization that
has an interest or a stake in a decision or
internal audits to audit themselves.
can be used to support the management review
process or to declare
that an organization complies with a set of audit
criteria (this is often
called a self-declaration). They are
carried out by the organization
itself or by others on its behalf.
An audit is
an evidence gathering process. Audit evidence is
to evaluate how well audit criteria are being met.
Audits should be
objective, impartial, and independent.
Independence can often be
achieved by making sure that people do not audit
An invocation is
an official declaration that an organization's
business continuity arrangements need to be
or put into effect. An official invocation
is necessary whenever a
disruptive incident interferes with your
organization's ability to
deliver key products and services.
A management system is
a set of interrelated or interacting elements
that organizations use to direct and control how
policies are applied
and objectives are achieved.
management system uses a process approach
manage and control how its policies are applied
and its objectives
are achieved. A process-based management system is
of many interrelated and interconnected processes
The process approach
is a management strategy. When managers
use a process approach, it means that they manage
that make up their organization, the interaction between these
processes, and the inputs and outputs that tie
maximum acceptable outage is the
amount of time that
can elapse before an adverse
impact becomes unacceptable
or intolerable. In this context, an adverse impact is caused
failure to provide products or services or to
perform an activity.
See 3.25 Maximum
acceptable outage. According to ISO
the terms maximum acceptable
outage and maximum
period of disruption mean the same
thing and are defined using
exactly the same words.
Measurement is a
process that is carried out
in order to determine the value of a variable.
is the lowest
acceptable level of product
or service that can be tolerated
during a disruption. Below this minimum level, the
is no longer able to provide an acceptable level
or service or to achieve its business objectives.
To monitor means
to determine the status of an activity, process,
or system. In order to ascertain status, you may
need to supervise
and to continually check and critically observe
the activity, process,
or system that is being monitored.
A mutual aid
agreement is a promise or a pre-arranged
between two or more entities to help each other
a nonfulfilment or failure to meet a requirement.
A requirement is a need, expectation, or
obligation. It can be stated
or implied by an organization or its interested
An objective is
a result you wish to achieve. Objectives can be
strategic, tactical, or operational and can apply
to an organization
as a whole or to a system, process, project,
product, or service. A
variety of words can be used to express
objectives. These include
words like target, aim, goal, purpose, or intended
According to ISO 22301, an organization
can be a single person
or a group that achieves its objectives by using
its own functions,
responsibilities, authorities, and relationships.
can be a company,
firm, partnership, charity,
institution, or authority. It can be
either incorporated or
unincorporated and can be either
privately or publicly owned.
It can also be a single
operating unit that is part of a larger entity.
However, an operating unit must have its own
administration in order to count as an
When an organization makes
an arrangement with
organization to perform part of a function
or process, it is referred to
as outsourcing. To outsource
means to ask an external organization
to perform part of a function or process usually
A performance is
a measurable result that is achieved by an
activity, process, product, service, system, or
This definition allows us
to consider performance measurements.
It allows us to think about
the measurement of organizational
performance, process performance, product
performance, systemic performance, and so on. Such
can be either quantitative or qualitative.
evaluation is a process that is used to
measurable results. A
performance evaluation measures and
analyses the results
that activities achieve. It also measures
and analyzes process, product, service, systemic,
organizational performance results.
people working for and under the control of an
organization. They include employees, part-time
staff members, as well as agency workers.
A policy is a
general commitment, direction, or intention and is
stated by top management. A
business continuity policy
should express top management's commitment to the
and improvement of its business continuity
management system and
should allow managers to set business continuity
objectives. It should
be appropriate and should support the
organization's overall purpose.
A procedure is a
way of carrying out a
process or activity.
Procedures may or may not be documented. ISO
sometimes asks you to document a procedure
it leaves it up to you to decide.
A process is a
set of activities that are interrelated or that
with one another. Processes
use resources to transform inputs
into outputs. Processes are interconnected because
from one process becomes the input for another
In the context of this ISO 22301 standard, products
are beneficial outcomes that organizations produce
to their customers, recipients, and interested
activities are those that must continue whenever a
disruptive incident occurs.
They are usually activities that support
the provision of products
and services. Prioritized activities must
continue in order to mitigate the impact that
disruptions could have.
are also commonly referred to as critical,
essential, vital, urgent, or key activities.
evidence that activities have been performed or
results have been achieved. Records always
document the past.
The term recovery
point objective refers to a data recovery
It is the point to which information or data used
by an activity must be
restored after a disruptive incident occurs. It is
an information or data
recovery objective that must be achieved in order
to allow an activity
to resume after a disruptive incident has occurred.
The term recovery
time objective refers to a time period.
It is the
maximum amount of time allowed to resume an
resources, or provide products and services after
incident occurs. This target time period must be
to ensure that adverse impacts do not become
A requirement is
a need, expectation, or obligation. It can be
implied by an
organization, its customers, or other interested
A specified requirement is one that has
been stated (in a document for
example), whereas an implied requirement
is a need, expectation, or
obligation that is common practice or customary.
all the assets that organizations need in order
to be able to operate and achieve objectives. Resources
people, skills, information, supplies, materials,
buildings, and technology.
According to ISO Guide
73:2009, definition 1.1, risk
is the “effect
of uncertainty on objectives” and an effect
is a positive or negative
deviation from what is expected. The following two
explain what this means.
ISO Guide 73 recognizes that all of us operate
in an uncertain world.
Whenever we try to achieve an objective, there’s
that things will not go according to plan. Every step has an
of risk that needs to be managed and every outcome is uncertain.
Whenever we try to
achieve an objective,
we don't always
results we expect. Sometimes we get positive
results and sometimes
we get negative results
and occasionally we get both.
this, ISO wants us to reduce uncertainty as much
lack of certainty) is a state or condition that
a deficiency of
information and leads to inadequate or incomplete
understanding. In the context of risk management,
uncertainty exists whenever your
knowledge or understanding of
an event, consequence, or likelihood is inadequate
In the context of this ISO 22301 standard, risk
appetite refers to
the amount and type of risk that an organization
is prepared to
accept, tolerate, or pursue.
Risk assessment is
a process that is, in turn, made up of three
processes: risk identification, risk analysis, and
is a process that is used to find, recognize, and
describe the risks that could affect the
achievement of objectives.
Risk analysis is
a process that is used to understand the nature,
sources, and causes of the risks that you have
identified and to
estimate the level of risk.
It is also used to study impacts
consequences and to examine the controls that
is a process that is used to compare risk analysis
results with risk criteria
in order to determine whether or not a
specified level of risk
is acceptable or tolerable.
Risk management refers
to a coordinated set of activities and
methods that is used to direct an organization and
the many risks that can affect its ability to
According to ISO 22301, testing
is an evaluation procedure that is
used to determine whether something is true, to
something is present, or to discover the quality
The term top
management normally refers to the people
the top of an organization; it refers to the
people who provide
resources and delegate
authority and who coordinate, direct,
and control organizations. However, if the scope
of a management
system covers only part of
an organization, then the term top
management refers, instead, to the people who direct and
control that part of the organization.
is a process that uses objective evidence
to confirm that specified requirements have been
The term work
environment refers to working conditions.
It refers to
all of the conditions and factors that influence
work. In general, these
include physical, social, psychological, and
and factors. Work
environment includes lighting,
noise factors, as well as the whole range of ergonomic influences.
It also includes things like supervisory practices
as well as reward
and recognition programs. All of these things