Clause 7 is the enabling clause. It ensures the BCMS has the resources it needs, that the people involved in the BCMS have the competence required, that all personnel are aware of their roles and responsibilities, that the organisation can communicate effectively during a disruption, and that documented information — the policies, procedures, plans, and records — is managed systematically. Without these enablers, even the best-planned BCMS will fail in practice.
These five supporting elements must all be in place and functioning before the organisation attempts to demonstrate continuity capability through exercises or a real disruption. If resources are insufficient, plans cannot be executed. If competence is lacking, procedures will not be understood. If awareness is absent, staff will not know what to do. If communication planning is absent, the response to a disruption will be chaotic. If documented information is not managed, the organisation will not have access to the procedures it needs when it needs them.
Resources (7.1)
ISO 22301 requires the organisation to determine and provide the resources needed for the BCMS to establish, implement, maintain, and continually improve itself. Resources include people, technology, facilities, finance, and time. An organisation that has an excellent BCMS strategy but cannot afford backup power systems or alternate recovery sites has resource constraints that prevent full implementation. An organisation that has a BCM manager but no budget for exercises or travel to BIA interviews has insufficient resource allocation.
In audit terms, auditors evaluate whether resources are adequate by examining whether BCMS activities can be executed as planned. If exercises are being postponed because there is no budget, or if BIAs are not being conducted because there is no time allocated to the BCM function, that is a resource finding. If technology recovery plans assume systems that have not been purchased or configured, that is a resource finding. Adequacy is defined by what the BCMS requires to achieve its objectives, not by what the organisation would like to spend.
Budget considerations include: BCM programme staffing (BCM programme manager, coordinators, support); external expertise (BIA facilitators, consultants, auditors); technology (backup systems, alternate site, testing tools, document management systems); training and awareness (staff training, exercise costs, awareness materials); and ongoing maintenance (BCP reviews, technology updates, regulatory compliance activities). Most organisations find that continuity is a 1–2% operational budget line item when properly amortised, though initial certification cycles may require higher investment.
Competence (7.2)
Clause 7.2 requires the organisation to ensure that people performing work affecting BCMS performance are competent. This is not just BCM specialists; it includes departmental continuity coordinators, IT recovery teams, crisis management team members, and department heads whose decisions affect continuity. Competence means having the knowledge, skills, and experience to perform the required functions.
For the BCM programme manager, competence includes understanding BIA methodology, continuity strategy options, recovery technologies, project management, and ISO 22301 requirements. For departmental coordinators, competence includes understanding their department’s processes, the BIA process, and how to develop a BCP. For IT recovery teams, competence includes understanding the technology systems, backup and recovery procedures, and recovery testing. The organisation must identify the competence required for each role, assess whether individuals in those roles have that competence, and provide training or support to develop competence gaps.
Demonstrating competence compliance in an audit means having records: job descriptions that specify competence requirements, training records for people in BCM roles, records of internal or external training completed, and evidence that competence has been assessed (self-assessment, supervisor assessment, or completion of a competence evaluation). An organisation that cannot produce training records for people in critical BCM roles will receive a Clause 7.2 finding.
Awareness (7.3)
Clause 7.3 requires that all personnel are aware of the Business Continuity Policy, the BCMS objectives, the importance of their contribution to BCMS effectiveness, and their specific role in the event that a continuity event is declared. Awareness is distinct from training. Training builds competence (e.g., the crisis management team needs detailed training on incident response procedures). Awareness is the baseline that every employee needs: what the BC Policy says, what they personally need to do if a disruption is declared, and who to contact.
Awareness programmes typically include: awareness materials (posters, email messages, intranet content) explaining the BC Policy and continuity principles; staff induction that includes BCM awareness; annual awareness refreshers; and exercise participation that tests whether staff know their roles. Some organisations include awareness as part of the onboarding process for new staff, ensuring that continuity is understood as part of the organisational culture.
In audits, demonstrating awareness compliance means having evidence of an awareness programme: materials that were created and distributed, records of induction coverage, lists of staff who have attended awareness or training sessions, and post-exercise assessments of whether staff understood their roles. An organisation with a comprehensive BCP that staff have never seen or participated in testing cannot demonstrate awareness, and this is an audit finding.
| Awareness Topic | Target Audience | Delivery Method and Frequency |
|---|---|---|
| BC Policy and BCMS objectives | All personnel in scope | Induction (new employees), annual awareness refresher, intranet availability; at least annually |
| Personal role in BCP activation | All personnel with assigned continuity roles | Specific training on their BCP role; annual refresher; exercise participation; before any plan update |
| Evacuation and emergency procedures | All personnel at in-scope locations | Floor plans, assembly point signage, emergency contact procedures; induction and annual refresher; regular (quarterly) building drills |
| Incident reporting procedures | All personnel | Who to report to, what to report, how to report; induction and awareness materials; clear reporting channels advertised |
| Alternative working arrangements | Personnel expected to work remotely | How to access email, systems, and collaboration tools from remote location; remote access procedures; security requirements; testing during exercises |
| Communication protocols during disruption | All personnel, especially recovery teams | How communication will be managed (phones, email, messaging); command structure; who communicates with customers/regulators; role-specific communication responsibilities |
| BCP activation criteria and triggers | Managers and department heads | Who declares a continuity event, on what basis (certain threshold of impact, specific threat), how activation is communicated; escalation procedures |
| KEY IDEA | Awareness is not training. Training builds competence for specific roles — the Crisis Management Team member who needs to know how to run a crisis management bridge call, the IT recovery team member who needs to know the technology recovery runbook. Awareness is the baseline that every employee needs: what the BC Policy says, what they personally need to do if a continuity event is declared, and who to contact. Both are required by Clause 7 and both are assessed in a Stage 2 ISO 22301 audit. An organisation can have excellent training but poor awareness, or vice versa. Both matter. |
Communication (7.4)
Clause 7.4 requires the organisation to establish communication planning and procedures for the BCMS. This includes internal communication — how the organisation communicates internally during a disruption, who communicates what to whom, escalation procedures — and external communication — how the organisation communicates with customers, regulators, suppliers, media, and other interested parties during and after a disruption.
Internal communication during a disruption requires clear command structure (who is in charge, to whom do people report), communication channels (how people reach each other — phones, email, messaging apps, in person), and specific roles (who communicates recovery status, who makes decisions, who updates the crisis team). A business continuity plan that does not include internal communication procedures will result in confusion and incomplete information during a disruption. External communication requires planning on what to communicate (service status, customer impact, estimated recovery time, regulatory notifications), who communicates externally (only authorised spokespersons, to avoid contradictory messages), and when external communication occurs (real-time updates vs. periodic updates, within what timeline).
Communication planning should account for potential communication failures — if normal channels (email, mobile networks) are unavailable, what alternatives exist? Some organisations establish alternate communication links, phone trees, social media channels, or predetermined meeting points. The communication plan is tested during exercises, and improvements are made based on exercise findings.
Documented Information (7.5)
Clause 7.5 requires the organisation to create and maintain documented information needed for the BCMS to function. Documented information includes: the BCMS scope; the BC Policy; BCMS objectives; evidence of leadership commitment; the BIA methodology and results; the risk assessment results; the continuity strategy and plans; procedures; training and awareness records; exercise records; audit reports; management review records; and any information needed to ensure the BCMS operates and is maintained.
ISO 22301 distinguishes between documents (living information that is regularly reviewed and updated) and records (evidence of activities performed). A Business Continuity Plan is maintained — it is a document that must be current. An exercise report is retained — it is a record of what happened during a specific exercise. Document control requires version control, definition of who can approve changes, review cycles that ensure documents are not stale, and access controls that ensure current information is available to people who need it. Record retention requires retention schedules (how long to keep records), storage that preserves integrity, and access controls that prevent unauthorised alteration.
The document management system does not need to be sophisticated. A well-organised SharePoint with clear version control, defined review dates, and access controls meets the requirement. A shared file drive with multiple versions, no clear ownership, and no idea when things were last reviewed does not. The requirement is that documented information is available when needed and is suitable for its purpose.
| Document / Record | Type | Clause Reference |
|---|---|---|
| BCMS Scope Statement | Document (Maintained) | 4.3 |
| Business Continuity Policy | Document (Maintained) | 5.2 |
| BCMS Objectives and Planning | Document (Maintained) | 6.3 |
| Evidence of Leadership Commitment | Records (Retained) | 5.1 |
| BIA Methodology and Results | Document (Maintained) | 6.2 |
| Risk Assessment Results and Treatment | Document (Maintained) | 6.2 |
| Continuity Strategy Documentation | Document (Maintained) | 8.3 |
| Business Continuity Plans | Document (Maintained) | 8.4 |
| Crisis Management Procedures | Document (Maintained) | 8.4 |
| ICT Continuity Plans and Procedures | Document (Maintained) | 8.5 |
| Communication Plans | Document (Maintained) | 7.4 |
| Exercise Plan and Schedule | Document (Maintained) | 8.5 |
| Exercise Records and Reports | Records (Retained) | 8.5 |
| Training and Competence Records | Records (Retained) | 7.2 |
| Awareness Programme Records | Records (Retained) | 7.3 |
| Internal Audit Plan and Reports | Records (Retained) | 9.2 |
| Management Review Records | Records (Retained) | 9.3 |
| Nonconformity and Corrective Action Records | Records (Retained) | 10.1 |
| IMPORTANT | ISO 22301 specifies documented information that shall be maintained (documents — living, managed, updated) and documented information that shall be retained (records — evidence of what happened). The distinction matters because the management approach differs. A BCP is maintained, meaning it must be kept current, reviewed at least annually, updated when significant changes occur. An exercise report is retained, meaning it is kept as historical evidence, not updated, but kept long enough to show a pattern of compliance. Document control procedures must handle both types correctly. The most common Clause 7.5 finding is records that cannot be located or verified because the document management system was not designed to retain evidence systematically. |
Building an Effective BCM Communication Plan
An effective BCM communication plan identifies who communicates, about what, to whom, through which channels, and when. It distinguishes between communication during the event (real-time status updates to staff, crisis management team, key stakeholders) and communication after the event (customer impact assessment, regulatory notifications, public statements). It includes communication failure scenarios — if email is down, how do staff know the disruption status and their role?
The communication plan is operationalised through contact directories (including backup contacts and alternate phone numbers), communication templates (messages that can be quickly adapted to specific events), and escalation procedures (clear authority for who can communicate externally). It is tested during exercises and refined based on what works and what does not. A communication plan that looks good in theory but requires centralised coordination through people who are themselves affected by the disruption will fail.
In the Indonesian context, where mobile networks are heavily used and email may be less reliable in some areas, communication plans that account for SMS, WhatsApp, and voice communication are more robust than those that rely solely on email or institutional messaging. The communication plan should reflect the actual communication environment the organisation operates in.
| BITLION INSIGHT | The awareness gap is consistently the largest human factor in BCMS failures we see in Indonesian organisations. The BCM team can articulate the BCP perfectly, but the department heads, line managers, and staff who would actually be involved in a continuity event have never seen the plan, do not know their role, and have never participated in an exercise. ISO 22301 requires demonstrated awareness, not just a training record. An exercise that tests whether staff know what to do is the most reliable awareness assessment available. The exercise finding "staff did not know their BCP role" should trigger immediate awareness improvement actions. |