ISO 22301:2019中文简译

写在前面：本中文简译是为了方便朋友们了解、学习业务连续性管理体系的最新国际标准-ISO 22301:2019，部分参考了GB30146-2013，译文内容从第4章开始，至第10章结束，如对译文有意见或建议，请给我留言。另，我的《ISO 22301白皮书》尚未进行更新，但由于ISO 22301:2019并未增加任何新的要求，所以仍可参考使用。

4 组织环境

4 Context of the organization

4.1 了解组织及其环境

4.1 Understanding the organization and its context

组织应确定与其宗旨及影响其达成BCMS预期结果的能力有关的内外部问题。

注：这些问题会受到组织的总体目标、产品和服务以及能承受或不能承受的风险的类型和数量的影响。

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS.

NOTE These issues will be influenced by the organization’s overall objectives, its products and services and the amount and type of risk that it may or may not take.

4.2 了解相关方的需要和期望

4.2 Understanding the needs and expectations of interested parties

4.2.1 总则

在建立BCMS时，组织应确定：

a) 与BCMS有关的相关方；

b) 这些相关方的有关要求。

4.2.1 General

When establishing its BCMS, the organization shall determine:

a) the interested parties that are relevant to the BCMS;

b) the relevant requirements of these interested parties.

4.2.2 法律和法规要求

组织应：

a) 实现和保持一个过程，以识别、获取和评估与其产品和服务、活动和资源连续性有关的适用法律和法规要求；

b) 确保这些适用的法律、法规和其它要求在实现和保持BCMS时得到考虑；

c) 记录这些信息并保持更新。

4.2.2 Legal and regulatory requirements

The organization shall:

a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources;

b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS;

c) document this information and keep it up to date.

4.3 确定BCMS的范围

4.3 Determining the scope of the business continuity management system

4.3.1 总则

组织应确定BCMS时边界和适用性，以确定其范围。

在确定范围时，组织应考虑：

a) 4.1中提到的内外部题；

b) 4.2中提到的要求；

c) 组织使命，总目标，及内外部责任。

范围应作为成文信息可用。

4.3.1 General

The organization shall determine the boundaries and applicability of the BCMS to establish its scope.

When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2;

c) its mission, goals, and internal and external obligations.

The scope shall be available as documented information.

4.3.2 BCMS的范围

组织应：

a) 确定纳入BCMS的组成部分，考虑其位置、规模、性质和复杂性；

b) 确定纳入BCMS的产品和服务。

在确定范围时，组织应记录和解释删减。这些删减不应影响组织提供业务连续性的能力和责任，如业务影响分析或风险评估和适用法律或法规要求所确定的。

4.3.2 Scope of the business continuity management system

The organization shall:

a) establish the parts of the organization to be included in the BCMS, taking into account its location(s), size, nature and complexity;

b) identify products and services to be included in the BCMS.

When defining the scope, the organization shall document and explain exclusions. They shall not affect the organization’s ability and responsibility to provide business continuity, as determined by the business impact analysis or risk assessment and applicable legal or regulatory requirements.

4.4 业务连续性管理体系

组织应根据本标准的要求建立、实施、保持和持续改进BCMS，包括必需的过程及其相互作用。

4.4 Business continuity management system

The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this document.

5 领导力

5 Leadership

5.1 领导力和承诺

最高管理者应通过以下方面展示对BCMS的领导力和承诺：

a) 确保建立业务连续性方针和业务连续性目标，并与组织的战略方向相一致；

b) 确保将BCMS的要求集成到组织的业务过程中；

c) 确保BCMS必需的资源是可用的；

d) 传达有效业务连续性和遵守BCMS要求的重要性；

e) 确保BCMS达到其预期结果；

f) 指导和支持人员为BCMS的有效性做出贡献；

g) 促进持续改进；

h) 支持其它的管理角色，以展现他们在其职责范围内的领导力和承诺。

注：本文件中的“业务”可从广义上解释为对组织存在具有核心价值的活动。

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the BCMS by:

a) ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization;

b) ensuring the integration of the BCMS requirements into the organization’s business processes;

c) ensuring that the resources needed for the BCMS are available;

d) communicating the importance of effective business continuity and of conforming to the BCMS requirements;

e) ensuring that the BCMS achieves its intended outcome(s);

f) directing and supporting persons to contribute to the effectiveness of the BCMS;

g) promoting continual improvement;

h) supporting other relevant managerial roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

5.2 方针

5.2 Policy

5.2.1 建立业务连续性方针

最高管理者应建立业务连续性方针：

a) 与组织的宗旨相适应；

b) 提供制定业务连续性目标的框架；

c) 包括满足适用要求的承诺；

d) 包括持续改进BCMS的承诺。

5.2.1 Establishing the business continuity policy

Top management shall establish a business continuity policy that:

a) is appropriate to the purpose of the organization;

b) provides a framework for setting business continuity objectives;

c) includes a commitment to satisfy applicable requirements;

d) includes a commitment to continual improvement of the BCMS.

5.2.2 传达业务连续性方针

业务连续性方针应：

a) 作为成文信息可用；

b) 在组织内传达；

c) 在适当情况下，可提供给相关方。

5.2.2 Communicating the business continuity policy

The business continuity policy shall:

a) be available as documented information;

b) be communicated within the organization;

c) be available to interested parties, as appropriate.

5.3 角色、责任和权力

最高管理者应确保相关角色的责任和权力被授权和传达。

最高管理者应分配责任和权力以：

a) 确保业务连续性管理体系符合ISO 22301的要求；

b) 向最高管理者报告BCMS的绩效。

5.3 Roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the BCMS conforms to the requirements of this document;

b) reporting on the performance of the BCMS to top management.

6 规划

6 Planning

6.1 应对风险和机会的措施

6.1 Actions to address risks and opportunities

6.1.1 确定风险和机会

在规划BCMS时，组织应考虑4.1提到的问题和4.2提到的要求，并确定需要应对的风险和机会：

a) 确保BCMS能达到其预期结果；

b) 预防，或减少不良影响；

c) 实现持续改进。

6.1.1 Determining risks and opportunities

When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) give assurance that the BCMS can achieve its intended outcome(s);

b) prevent, or reduce, undesired effects;

c) achieve continual improvement.

6.1.2 应对风险和机会

组织应计划：

a) 应对这些风险和机会的措施；

b) 如何：

1) 将这些措施集成和实现到BCMS过程中；

2) 评价这些措施的有效性。

注：风险和机会与管理体系的有效性有关。与业务中断相关的风险在8.2中说明。

6.1.2 Addressing risks and opportunities

The organization shall plan:

a) actions to address these risks and opportunities;

b) how to:

1) integrate and implement the actions into its BCMS processes (see 8.1);

2) evaluate the effectiveness of these actions (see 9.1).

NOTE Risks and opportunities relate to the effectiveness of the management system. Risks related to disruption of the business are addressed in 8.2.

6.2 业务连续性目标和实现计划

6.2 Business continuity objectives and planning to achieve them

6.2.1 建立业务连续性目标

组织应在相关职能和级别建立业务连续性目标。

业务连续性目标应：

a) 与业务连续性方针保持一致；

b) 是可测量的(如果条件许可的情况下)；

c) 考虑适用的要求(见4.1和4.2)

d) 被监测；

e) 被沟通；

f) 视情况进行更新。

组织应保存业务连续性目标的成文信息。

6.2.1 Establishing business continuity objectives

The organization shall establish business continuity objectives at relevant functions and levels.

The business continuity objectives shall:

a) be consistent with the business continuity policy;

b) be measurable (if practicable);

c) take into account applicable requirements (see 4.1 and 4.2);

d) be monitored;

e) be communicated;

f) be updated as appropriate.

The organization shall retain documented information on the business continuity objectives.

6.2.2 确定业务连续性目标

在规划如何达到业务连续性目标时，组织应确定：

a) 要做什么；

b) 需要什么资源；

c) 谁将负责；

d) 什么时候完成；

e) 如何评估结果。

6.2.2 Determining business continuity objectives

When planning how to achieve its business continuity objectives, the organization shall determine:

a) what will be done;

b) what resources will be required;

c) who will be responsible;

d) when it will be completed;

e) how the results will be evaluated.

6.3 BCMS变更规划

当组织确定需要变更BCMS时，包括第10章中确定的变更，变更应按计划进行。

组织应考虑：

a) 变更的目的和它们可能的后果；

b) BCMS的完整性；

c) 资源可能性；

d) 责任和权力的分配或再分配。

6.3 Planning changes to the business continuity management system

When the organization determines the need for changes to the BCMS, including those identified in Clause 10, the changes shall be carried out in a planned manner.

The organization shall consider:

a) the purpose of the changes and their potential consequences;

b) the integrity of the BCMS;

c) the availability of resources;

d) the allocation or reallocation of responsibilities and authorities.

7 支持

7 Support

7.1 资源

组织应确定并提供建立、实施、保持和持续改进BCMS必需的资源。

7.1 Resources

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS.

7.2 能力

组织应：

a) 确定在其控制从事影响其BCMS绩效的工作的人员的必备能力；

b) 确保这些人员在适当的教育、培训和经验的基础上胜任工作；

c) 在适用的情况下，采取行动获得必要的能力，并评估所采取行动的有效性；

d) 保存适当的成文信息作为能力的证据。

注 适用的措施包括：提供培训、指导、重新分配当前工作人员或聘任有能力的人。

7.2 Competence

The organization shall:

a) determine the necessary competence of person(s) doing work under its control that affects its business continuity performance;

b) ensure that these persons are competent on the basis of appropriate education, training, or experience;

c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;

d) retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

7.3 意识

在组织控制下工作的人员应知道：

a) 业务连续性方针；

b) 他们对BCMS有效性的贡献，包括改进业务连续性绩效的好处；

c) 不遵从BCMS要求的后果；

d) 他们自己在中断前、中断中和中断后的角色和责任。

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

a) the business continuity policy;

b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity performance;

c) the implications of not conforming with the BCMS requirements;

d) their own role and responsibilities before, during and after disruptions.

7.4 沟通

组织应确定与BCMS有关的内外部沟通，包括：

a) 沟通内容；

b) 沟通时机；

c) 沟通对象；

d) 沟通方式；

e) 沟通主体。

7.4 Communication

The organization shall determine the internal and external communications relevant to the BCMS, including:

a) on what it will communicate;

b) when to communicate;

c) with whom to communicate;

d) how to communicate;

e) who will communicate.

7.5 成文信息

7.5 Documented information

7.5.1 总则

组织的BCMS应包括：

a) 本标准要求的成文信息；

b) 组织确定的、BCMS有效性必需的成文信息。

注 BCMS的成文信息范围因组织而异：

-- 组织的规模以及它的活动、过程、产品和服务以及资源的类型；

--过程及其交互作用和的复杂性；

--人员能力。

7.5.1 General

The organization’s BCMS shall include:

a) documented information required by this document;

b) documented information determined by the organization as being necessary for the effectiveness of the BCMS.

NOTE The extent of documented information for a BCMS can differ from one organization to another due to:
— the size of organization and its type of activities, processes, products and services, and resources;

— the complexity of processes and their interactions;

— the competence of persons.

7.5.2 创建和更新

在创建和更新成文信息时，组织应确保合适的：

a) 标识和描述(如标题、日期、作者或编号)；

b) 格式(例如语言、软件版本、图形)和介质(例如纸质、电子的)；

c) 适宜性和充分性的评审和批准。

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:

a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

c) review and approval for suitability and adequacy.

7.5.3 成文信息的控制

7.5.3.1BCMS和本标准要求的成文信息应受控以确保：

a) 在需要使用的地点和时间是可用的和适宜的；

b) 得到充分地保护(例如丧失机密性、使用不当，或失去完整性)。

7.5.3.2适当时，组织应采取以下措施对成文信息进行控制：

a) 分发、存取、检索和使用；

b) 存储和保存，包括保护可读性；

c) 变更控制(例如版本控制)；

d) 保存和处置。

组织确定的在BCMS的策划和运行中必须的外来成文信息应被适当地识别，和控制。

注：存取可以是查看有关成文信息的决定，或者查看和变更成文信息的权限和权力。

7.5.3 Control of documented information

7.5.3.1 Documented information required by the BCMS and by this document shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

a) distribution, access, retrieval and use;

b) storage and preservation, including preservation of legibility;

c) control of changes (e.g. version control);

d) retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled.

NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

8 运行

8 Operation

8.1 运行的规划和控制

组织应通过以下方式计划、实施和控制为满足要求和实现6.1中确定措施所必须的过程：

a) 建立过程准则；

b) 根据准则实现对这些过程的控制；

c) 为确保这些过程按计划进行，保留成文信息到必要的程度。

组织应控制计划内的变更并评审非预期变更的后果，必要时采取行动减轻负面影响。

组织应确保外包过程和供应链受控。

8.1 Operational planning and control

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by:

a) establishing criteria for the processes;

b) implementing control of the processes in accordance with the criteria;

c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes and the supply chain are controlled.

8.2 业务影响分析和风险评估

8.2 Business impact analysis and risk assessment

8.2.1 总则

组织应：

a) 实施和保持系统化的过程分析中断的影响和评估中断的风险；

b) 定期或在组织内或其运行环境有重大变更时，评审业务影响分析和风险评估；

注：组织确定业务影响分析和风险评估的执行顺序。

8.2.1 General

The organization shall:

a) implement and maintain systematic processes for analysing the business impact and assessing the risks of disruption;

b) review the business impact analysis and risk assessment at planned intervals and when there are significant changes within the organization or the context in which it operates.

NOTE The organization determines the order in which the business impact analysis and risk assessment are conducted.

8.2.2 业务影响分析

组织应使用分析业务影响的过程来确定业务连续性优先级和要求。这个过程应：

a) 明确与组织环境相关的影响类别和准则；

b) 识别支持产品和服务交付的活动；

c) 使用影响类别和准则评估这些活动中断后随时间推移的影响；

d) 识别不恢复这些活动的影响对组织变得不可接受的时间范围；

 注1：该时间范围可称为“最大可容忍中断时间(MTPD)”。

e) 在d)中识别时间范围内，制定以指定的最低可接受生产能力恢复中断活动的优先级时间表；

 注2：该时间范围可称为“恢复时间目标(RTO)”。

f) 使用此分析确定优先活动；

g) 确定支持优先活动的必备资源；

h) 确定包括合作方和供应商在内的依赖关系，以及优先活动的互依赖关系。

8.2.2 Business impact analysis

The organization shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall:

a) define the impact types and criteria relevant to the organization’s context;

b) identify the activities that support the provision of products and services;

c) use the impact types and criteria for assessing the impacts over time resulting from the disruption of these activities;

d) identify the time frame within which the impacts of not resuming activities would become unacceptable to the organization;

NOTE 1 This time frame can be referred to as the 'maximum tolerable period of disruption (MTPD)'.

e) set prioritized time frames within the time identified in d) for resuming disrupted activities at a specified minimum acceptable capacity;

NOTE 2 This time frame can be referred to as the 'recovery time objective (RTO)'.

f) use this analysis to identify prioritized activities;

g) determine which resources are needed to support prioritized activities;

h) determine the dependencies, including partners and suppliers, and interdependencies of prioritized activities.

8.2.3 风险评估

组织应实施和保持一个风险评估过程。

注：风险评估过程在ISO 31000中说明。

组织应：

a) 识别中断对组织的优先活动和它们必需资源的风险；

b) 分析和评价识别的风险；

c) 确定哪些风险需要处置。

注：本节的风险与业务活动中断有关。与管理体系有效性相关的风险与机会在6.1中说明。

8.2.3 Risk assessment

The organization shall implement and maintain a risk assessment process.

NOTE The process for risk assessment is addressed in ISO 31000.

The organization shall:

a) identify the risks of disruption to the organization’s prioritized activities and to their required resources;

b) analyse and evaluate the identified risks;

c) determine which risks require treatment.

NOTE Risks in this subclause relate to the disruption of business activities. Risks and opportunities related to the effectiveness of the management system are addressed in 6.1.

8.3 业务连续性策略和方案

8.3 Business continuity strategies and solutions

8.3.1 总则

根据业务影响分析和风险评估的结果，组织应确定和选择考虑中断前、中断中和中断后的业务连续性策略选项。业务连续性策略应由一个或多个解决方案组成。

8.3.1 General

Based on the outputs from the business impact analysis and risk assessment, the organization shallidentify and select business continuity strategies that consider options for before, during and after disruption. The business continuity strategies shall be comprised of one or more solutions.

8.3.2 识别策略和方案

应基于其在以下方面的程度识别策略和方案：

a) 满足连续和恢复优先活动的要求(在确定的时间范围和约定的能力内)；

b) 保护组织的优先活动；

c) 降低中断的可能性；

d) 缩短中断的时间；

e) 限制中断对组织的产品和服务的影响；

f) 提供足够的资源。

8.3.2 Identification of strategies and solutions

Identification shall be based on the extent to which strategies and solutions:

a) meet the requirements to continue and recover prioritized activities within the identified time frames and agreed capacity;

b) protect the organization’s prioritized activities;

c) reduce the likelihood of disruption;

d) shorten the period of disruption;
e) limit the impact of disruption on the organization’s products and services;

f) provide for the availability of adequate resources.

8.3.3 选择策略和方案

应基于其在以下方面的程度选择策略和方案：

a) 满足连续和恢复优先活动的要求(在确定的时间范围和约定的能力内)；

b) 考虑组织可能承受或不可承受风险的类型和数量；

c) 考虑相应的成本和收益。

8.3.3 Selection of strategies and solutions

Selection shall be based on the extent to which strategies and solutions:

a) meet the requirements to continue and recover prioritized activities within the identified time frames and agreed capacity;

b) consider the amount and type of risk the organization may or may not take;

c) consider associated costs and benefits.

8.3.4 资源要求

组织应确定实施所选业务连续性方案的资源要求。资源的类型应包括，但不限于以下：

a) 人员；

b) 信息和数据；

c) 物理基础设施，如建筑，工作场所或其它设施和相关的公共服务；

d) 设备和耗材；

e) 信息和通信技术(ICT)系统；

f) 运输和后勤；

g) 财务；

h) 合作伙伴和供应商。

8.3.4 Resource requirements

The organization shall determine the resource requirements to implement the selected business continuity solutions. The types of resources considered shall include, but not be limited to:

a) people;

b) information and data;

c) physical infrastructure such as buildings, workplaces or other facilities and associated utilities;

d) equipment and consumables;

e) information and communication technology (ICT) systems;

f) transportation and logistics;

g) finance;

h) partners and suppliers.

8.3.5 方案实施

组织应实施并保持选定的业务连续性方案，以便在需要时启用它们。

8.3.5 Implementation of solutions

The organization shall implement and maintain selected business continuity solutions so they can be activated when needed.

8.4 业务连续性计划和程序

8.4 Business continuity plans and procedures

8.4.1 总则

组织应实施和保持一个响应结构，以便及时地向有关的相关方警报和进行沟通。应提供在中断期间管理组织的计划和程序。这些计划和程序应在需要启用业务连续性方案时使用。

注：业务连续性计划有不同类型的程序组成。

组织应基于所选业务策略和方案的输出，确定和记录业务连续性计划和程序。

这些程序应：

a) 具体说明中断期间要立即采用的步骤；

b) 灵活应对中断时不断变化的内外部情况；

c) 专注于可能导致中断的事件的影响；

d) 通过实施适当的方案，有效地将影响降到最低；

e) 为其中的任务分配角色和责任。

8.4.1 General

The organization shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organization during a disruption. The plans and procedures shall be used when required to activate business continuity solutions.

NOTE There are different types of procedures that comprise business continuity plans.
The organization shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions.

The procedures shall:

a) be specific regarding the immediate steps that are to be taken during a disruption;

b) be flexible to respond to the changing internal and external conditions of a disruption;

c) focus on the impact of incidents that potentially lead to disruption;

d) be effective in minimizing the impact through the implementation of appropriate solutions;

e) assign roles and responsibilities for tasks within them.

8.4.2 响应结构

8.4.2.1组织应实施和保持一个结构，确定一个或多个负责应对中断的团队。

8.4.2.2每个团队的角色和职责以及它们之间的关系应清楚地说明。

8.4.2.3总起来说，团队应能够：

a) 评估中断的性质和范围以及它们可能的影响；

b) 与预定义的阈值相比评估影响，这些阈值证明启动正式响应是合理的；

c) 启动适当的业务连续性响应；

d) 计划需要采取的措施；

e) 确立优先级(生命安全为第一优先)；

f) 监视中断的影响和组织的响应；

g) 启用业务连续性方案；

h) 与有关的相关方，当局和媒体沟通。

8.4.2.4对每个团队，都应：

a) 确定人员及其候补人员，他们具有履行其指定角色所需的责任、权力和能力；

b) 有成文的程序指导他们的行动，包括启用、操作、协调和沟通响应的程序。

8.4.2 Response structure

8.4.2.1 The organization shall implement and maintain a structure, identifying one or more teams responsible for responding to disruptions.

8.4.2.2 The roles and responsibilities of each team and the relationships between the teams shall be clearly stated.

8.4.2.3 Collectively, the teams shall be competent to:

a) assess the nature and extent of a disruption and its potential impact;

b) assess the impact against pre-defined thresholds that justify initiation of a formal response;

c) activate an appropriate business continuity response;

d) plan actions that need to be undertaken;

e) establish priorities (using life safety as the first priority);

f) monitor the effects of the disruption and the organization’s response;

g) activate the business continuity solutions;

h) communicate with relevant interested parties, authorities and the media.

8.4.2.4 For each team there shall be:

a) identified personnel and their alternates with the necessary responsibility, authority and competence to perform their designated role;

b) documented procedures to guide their actions (see 8.4.4), including those for the activation, operation, coordination and communication of the response.

8.4.3 预警和沟通

8.4.3.1组织应记录和保持程序用以：

a) 与相关的相关方进行内部和外部的沟通，包括内容、时机、对象和沟通方式；

注：组织可以记录和保持如何以及在何种情况下与员工及其紧急联系人进行沟通的程序。

b) 接收、记事和响应来自相关方的沟通，包括任何国家或地区性的风险预警系统或类似的系统；

c) 确保沟通手段在中断期间可用；

d) 促进与应急响应人员的结构化沟通；

e) 提供事件发生后组织媒体响应的细节，包括沟通策略；

f) 记录中断的细节，采取的行动以及所做决策。

8.4.3.2在适用的情况下，还应考虑和实施以下：

a) 向可能受到当前或即将发生的中断影响的相关方发出警报；

b) 确保多个响应组织间适当的协调和沟通。

预警和沟通程序应作为8.5中描述的演练项目集的一部分进行演练。

8.4.3 Warning and communication

8.4.3.1 The organization shall document and maintain procedures for:

a) communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate;

NOTE The organization can document and maintain procedures for how, and under what circumstances, the organization communicates with employees and their emergency contacts.

b) receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent;

c) ensuring the availability of the means of communication during a disruption;

d) facilitating structured communication with emergency responders;

e) providing details of the organization’s media response following an incident, including a communications strategy;

f) recording the details of the disruption, the actions taken and the decisions made.

8.4.3.2 Where applicable, the following shall also be considered and implemented:

a) alerting interested parties potentially impacted by an actual or impending disruption;

b) ensuring appropriate coordination and communication between multiple responding organizations.

The warning and communication procedures shall be exercised as part of the organization’s exercise programme described in 8.5.

8.4.4 业务连续性计划

8.4.4 Business continuity plans

8.4.4.1组织应记录和保持业务连续性计划和程序。业务连续性计划应提供指导和信息，以协助团队应对中断，并协助组织进行响应和恢复。

8.4.4.1 The organization shall document and maintain business continuity plans and procedures.The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organization with response and recovery.

8.4.4.2总体来说，业务连续性计划应包含：

a) 团队将采取行动的细节，为了

1) 在事先确定的时间段内连续和恢复优先活动；

2) 监视中断的影响和组织的应对；

b) 预定义阈值和启用响应的过程的参考；

c) 以商定能力交付产品和服务的程序；

d) 管理中断直接后果的细节，适当考虑：

1) 个人福利；

2) 防止进一步损失或优先活动无法执行；

3) 对环境的影响。

8.4.4.2 Collectively, the business continuity plans shall contain:

a) details of the actions that the teams will take in order to:

1) continue or recover prioritized activities within predetermined time frames;

2) monitor the impact of the disruption and the organization’s response to it;

b) reference to the pre-defined threshold(s) and process for activating the response;

c) procedures to enable the delivery of products and services at agreed capacity;

d) details to manage the immediate consequences of a disruption giving due regard to:

1) the welfare of individuals;

2) the prevention of further loss or unavailability of prioritized activities;

3) the impact on the environment.

8.4.4.3每个计划应包括：

a) 目的、范围和目标；

b) 实施计划团队的角色和责任；

c) 实施方案的措施；

d) 启用(包括启用标准)、操作、协调和沟通团队行动所需的支持性信息；

e) 内部和外部依赖；

f) 资源要求；

g) 报告要求；

h) 退出过程。

每个计划应在需要它的时间和地点可使用和可得到。

8.4.4.3 Each plan shall include:

a) the purpose, scope and objectives;

b) the roles and responsibilities of the team that will implement the plan;

c) actions to implement the solutions;

d) supporting information needed to activate (including activation criteria), operate, coordinate and communicate the team’s actions;

e) internal and external interdependencies;

f) the resource requirements;

g) the reporting requirements;

h) a process for standing down.

Each plan shall be usable and available at the time and place at which it is required.

8.4.5 恢复

组织应具有成文的过程，以从中断期间和中断后采取的临时措施恢复和返回业务活动。

8.4.5 Recovery

The organization shall have documented processes to restore and return business activities from the temporary measures adopted during and after a disruption.

8.5 演练项目集

组织应实施和保持一个演练和测试项目集，以确认其业务连续性策略和方案的持续有效性。

组织进行演练和测试应：

a) 与其业务连续性目标相一致；

b) 基于适当的，有周密计划以及明确目的和目标的场景；

c) 培养团队合作精神、能力、信心和知识，使那些在与中断有关方面有作用的人能发挥作用；

d) 随时间发展整合进行，以验证其业务连续性策略和方案；

e) 生成正式的，包括结果和改进推荐和措施的演练报告，；

f) 在促进持续改进的背景下进行评审；

g) 定期和当组织内或其运行环境发生重大变更时进行。

组织应按照其演练和测试的结果，以实施变更和改进。

8.5 Exercise programme

The organization shall implement and maintain a programme of exercising and testing to validate over time the effectiveness of its business continuity strategies and solutions.

The organization shall conduct exercises and tests that:

a) are consistent with its business continuity objectives;

b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives;

c) develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions;

d) taken together over time, validate its business continuity strategies and solutions;

e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements;

f) are reviewed within the context of promoting continual improvement;

g) are performed at planned intervals and when there are significant changes within the organization or the context in which it operates.

The organization shall act on the results of its exercising and testing to implement changes and improvements.

8.6 业务连续性文档和能力评价

组织应：

a) 评价业务影响分析、风险评估、策略、方案、计划和程序的适宜性、充分性和有效性；

b) 通过评审、分析、演练、测试、事故报告和绩效评价进行评价；

c) 对相关合作伙伴和供应商的业务连续性能力进行评价；

d) 评价是否符合适用的法律法规要求、行业最佳实践，以及其是否符合自己的业务连续性方针和目标；

e) 及时更新文档记录和程序；

这些评价应在事故后或启用后、和有重大变更发生时，按计划间隔进行。

8.6 Evaluation of business continuity documentation and capabilities

The organization shall:

a) evaluate the suitability, adequacy and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans and procedures;

b) undertake evaluations through reviews, analysis, exercises, tests, post-incident reports and performance evaluations;

c) conduct evaluations of the business continuity capabilities of relevant partners and suppliers;

d) evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformity with its own business continuity policy and objectives;

e) update documentation and procedures in a timely manner.

These evaluations shall be conducted at planned intervals, after an incident or activation, and when significant changes occur.

9 绩效评价

9 Performance evaluation

9.1 监视、测量、分析和评价

组织应确定：

a) 需要监视和测量的内容；

b) 适用的监视、测量、分析和评价方式，以确保有效结果；

c) 应在何时、由谁进行监视和测量；

d) 应在何时、由谁对监视和测量结果进行分析和评价；

组织应保存适当的成文信息作为结果的证据；

组织应评价BCMS绩效和BCMS的有效性。

9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine:

a) what needs to be monitored and measured;

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;

c) when and by whom the monitoring and measuring shall be performed;

d) when and by whom the results from monitoring and measurement shall be analysed and evaluated.

The organization shall retain appropriate documented information as evidence of the results.

The organization shall evaluate the BCMS performance and the effectiveness of the BCMS.

9.2 内部审核

9.2 Internal audit

9.2.1 总则

组织应按计划的时间间隔进行内部审核，提供信息以表明BCMS是否：

a) 符合：

1) 组织自身对BCMS的要求；

2) 本标准的要求。

b) 得到有效的实施和保持。

9.2.1 General

The organization shall conduct internal audits at planned intervals to provide information on whether the BCMS:

a) conforms to:

1) the organization’s own requirements for its BCMS;

2) the requirements of this document;

b) is effectively implemented and maintained.

9.2.2 审核方案(项目集)

组织应：

a) 计划、建立、实施和保持审核方案，包括频次、方法、责任、规划要求和报告，审核方案应考虑到所关注的重要性和以往审核的结果；

b) 确定每次审核的审核准则和范围；

c) 审核员选择和审核执行应确保审核过程的客观性和公正性；

d) 确保审核结果被报告给适当的管理层；

e) 保存成文信息作为实施审核方案和审核结果的证据；

f) 确保及时采取任何必要的纠正措施，以消除发现的不符合及其原因；

g) 确保后续审核行动应包括对采取措施的验证以及验证结果的报告。

9.2.2 Audit programme(s)

The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant managers;

e) retain documented information as evidence of the implementation of the audit programme(s) and the audit results;

f) ensure that any necessary corrective actions are taken without undue delay to eliminate detected nonconformities and their causes;

g) ensure that follow-up audit actions include the verification of the actions taken and the reporting of verification results.

9.3 管理评审

9.3 Management review

9.3.1 总则

最高管理者应按计划的时间间隔评审组织的BCMS，以确保其持续适宜、充分和有效。

9.3.1 General

Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

9.3.2 管理评审输入

管理评审应考虑以下：

a) 以往管理评审措施的状态；

b) 与BCMS有关的内外部问题的变更；

c) BCMS的绩效信息，包括以下方面的趋势：

1) 不符合项和纠正措施；

2) 监视和测量评价结果；

3) 审核结果；

d) 相关方的反馈；

e) BCMS变更的需要，包括方针和目标；

f) 可在组织中用于改进BCMS绩效和有效性的程序和资源；

g) 业务影响分析和风险评估的信息；

h) 业务连续性文档和能力评价(8.6)的输出；

i) 在以往风险评估中未充分处理的风险或问题；

j) 未遂事件和中断的经验教训和措施；

k) 持续改进的机会。

9.3.2 Management review input

The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the BCMS;

c) information on the BCMS performance, including trends in:

1) nonconformities and corrective actions;

2) monitoring and measurement evaluation results;

3) audit results;

d) feedback from interested parties;

e) the need for changes to the BCMS, including the policy and objectives;

f) procedures and resources that could be used in the organization to improve the BCMS’ performance and effectiveness;

g) information from the business impact analysis and risk assessment;

h) output from the evaluation of business continuity documentation and capabilities (see 8.6);

i) risks or issues not adequately addressed in any previous risk assessment;

j) lessons learned and actions arising from near-misses and disruptions;

k) opportunities for continual improvement.

9.3.3 管理评审输出

9.3.3.1 管理评审的输出应包括与持续改进机会有关的决策，改进BCMS效率和效能的变更需要，还包括：

a) 对BCMS范围的变化；

b) 对业务影响分析、风险评估、业务连续性策略和方案、以及业务连续性计划的更新；

c) 对响应可能影响BCMS的内外部问题的程序和控制的修改；

d) 控制有效性的测量方法。

9.3.3.2 组织应保存成文信息作为管理评审的结果的证据。组织应：

a) 向相关方传达管理评审的结果；

b) 针对这些结果采取适当的措施。

9.3.3 Management review outputs

9.3.3.1 The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the BCMS to improve its efficiency and effectiveness, including the following:

a) variations to the scope of the BCMS;

b) update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans;

c) modification of procedures and controls to respond to internal or external issues that may impact the BCMS;

d) how the effectiveness of controls will be measured.

9.3.3.2 The organization shall retain documented information as evidence of the results of management reviews. It shall:

a) communicate the results of the management review to relevant interested parties;

b) take appropriate action relating to those results.

10 改进

10 Improvement

10.1 不符合和纠正措施

10.1.1组织应确定改进和实施必要措施的机会，以达到其BCMS预期结果。

10.1.2当不符合发生时，组织应：

a) 对不符合做出反应，并且，适宜时：

1) 采取措施进行控制和纠正；

2) 对结果进行处理；

b) 评价对消除不符合的原因采取措施的需要，为了防止不符合在别处出现或者再次出现，可采取以下：

1) 评审不符合；

2) 确定不符合的原因；

3) 确定相似的不符合是否存在，或有可能出现；

c) 实施必要的任何措施；

d) 评审所采取的任何纠正措施的有效性；

e) 必要时，对BCMS进行变更。

纠正措施应适用于所遇到的不符合项的影响。

10.1.3组织应保存成文信息作为证据：

a) 不符合的性质和任何所采取的后续措施；

b) 各项纠正措施的结果。

10.1 Nonconformity and corrective action

10.1.1 The organization shall determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of its BCMS.

10.1.2 When a nonconformity occurs, the organization shall:

a) react to the nonconformity, and, as applicable:

1) take action to control and correct it;

2) deal with the consequences;

b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:

1) reviewing the nonconformity;

2) determining the causes of the nonconformity;

3) determining if similar nonconformities exist, or can potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) make changes to the BCMS, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

10.1.3 The organization shall retain documented information as evidence of:

a) the nature of the nonconformities and any subsequent actions taken;

b) the results of any corrective action.

10.2 持续改进

组织应持续改进BCMS的适宜性、充分性和有效性，基于定性和定量的方法。

组织应考虑分析和评价的结果以及管理评审的输出，以确定是否存在与业务或BCMS有关的需要或机会，这些需要或机会应作为持续改进的一部分加以解决。

注：组织可以使用BCMS的过程来实现改进，如领导力、规划和绩效评价。

10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the BCMS, based on qualitative and quantitative measures.

The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities, relating to the business, or to the BCMS, that shall be addressed as part of continual improvement.

NOTE The organization can use the processes of the BCMS, such as leadership, planning and performance evaluation, to achieve improvement.