#coronavirus is one the most popular hashtags nowadays and the reason is very simple: given its rapid spread, the World Health Organization (WHO) has declared coronavirus to be a health emergency and the whole world is dealing with it.

There is another word that takes great importance in these days, a word that we don’t hear frequently: resilience. 

Resilience is a word with many meanings:

  1. in material science, resilience is the ability of a material to absorb energy when deformed and release that energy upon unloading, but this is not our case.
  2. in psychology is an individual's ability to adapt in the face of adverse conditions, and this is closer to what we are looking for.
  3. in the organizational language is the ability of a system to withstand changes in its environment and still function, and this is what we will be looking into today.

Many companies don’t think about resilience and don’t plan for business continuity, but we must remember what ISO says:

When a business is faced with the threat of sudden disruption to its operations,
being able to respond quickly and effectively is the key to its survival.

This sounds good, but how many companies include a pandemic risk in their business continuity plan? Because a pandemic crisis doesn’t affect only our staff, but makes the supply of raw materials complicated, slows down our deliveries and purchases by our customers.
And this applies to all companies: suppliers, customers, manufacturers, supermarkets, small shops, petrol stations, ... and even hospitals.

So, what can we do?

The International Organization for Standardization (ISO) has ISO 22301 standard that many people know as business continuity standard. The full title is “Security and resilience – Business continuity management system – Requirements”.

Let’s look closer into the standard and see how it can help companies.

Business continuity can be effective in dealing with both sudden disruptive incidents (e.g. fire, arson, explosions, etc.) and gradual ones like flu pandemics.

By focusing on the impact of disruption rather than the cause, business continuity identifies those activities on which an organization depends on its survival and enables the organization to determine what is required to continue to meet its obligations. Through business continuity, an organization can recognize what needs to be done to protect its resources (e.g. people, technology and information), supply chain, interested parties and reputation, before a disruptive incident occurs.

The following diagram is intended to illustrate conceptually how business continuity can be effective in mitigating sudden disruption: the main objective is to respond and manage the impact to reduce downtime and shorten disruption.

ISO22301 business continuity sudden disruption The following diagram, instead, illustrates the pandemic approach to business continuity: it’s important to understand signs before the disruption occurs to control response and slow down the disruption.

ISO22301 business continuity pandemicBy taking a broad approach and asking themselves “what does this mean to me”, businesses of any size can be better prepared for the future and the present in this case. Here are some tips from our experts:

1. Don’t wait for the situation to fix itself
2. Take care of your responsibilities, follow advice from your organization and make your part for the company and society. We are all in this together
3. You have a part in the Business Continuity Plan of your organization and you have to fulfill it; you are not alone.
4. Don’t switch smart working into “not-working”. If you are a smart worker you are lucky: you can stay safe at home with your family during an emergency, but you have to perform your work in an agile way, not simply postpone activities.

And some advice from our Business Continuity Manager:

1. Plan for the effect of the incident, not for the cause
2. During an emergency, what happens is normally more important that what caused it.
3. Bear in mind that prevention is better than cure. You have to conduct a risk assessment and implement policy to avoid an incident, but in any case, you need to have a plan. 
Finally, you conducted a business impact analysis, risk assessment, and treatment, you implemented a business continuity plan, but in these days you are experimenting what your advisor always said: exercise plan and test it, and then test again.


The ISO 22301 standard will be analyzed in more detail in the next article on our blog. But the main conclusion for today is that ISO 22301 is not managed by an IT committee (e.g. like the ISO 27001 that is managed by “Information security, cybersecurity and privacy protection” technical committee). Instead, it’s managed by the “Security and Resilience” committee and its scope is “Standardization in the field of security to enhance the safety and resilience of society” because the main point of attention in business continuity is the health and safety of our staff.

If you are interested in ISO 22301 consulting for your organization, get in touch and our experts will help your business advance.

Get in touch today 

Eugenio Bonzi

Written by Eugenio Bonzi

I am the Senior Data Protection Consultant in Advantio. I have great experience in ICT and Telco services, where I covered several roles and responsibilities. In the last 10 years, I focused my attention in information security and business continuity compliance.