Awareness

ISO 22301 Clause 7.3 requires you to make sure everyone working under your control understands the business continuity (BC) policy, how their work supports the BCMS, what happens if they don’t follow requirements, and what to do during a disruption (ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements). Operationalize it by defining role-based disruption duties, training and reinforcing them, and retaining evidence that awareness is current, targeted, and tested.

Key takeaways:

• Awareness is a control with evidence, not a one-time training event.
• Scope includes employees and non-employees under your control (contractors, temps, relevant third parties).
• Auditors look for role-specific disruption actions, not generic BC “read and sign” attestations.

The ISO 22301 awareness requirement is easy to misunderstand because it sounds like “send a policy and run annual training.” That approach rarely survives an audit or a real incident. Clause 7.3 is asking for something tighter: people who do work under your control must know four things—your BC policy, how they contribute to BCMS effectiveness, the consequences of not conforming, and their role during a disruption (ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements).

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat awareness as an operational readiness requirement. You need to map disruption roles to real teams, translate plans into job-relevant actions, and build repeatable communications and training that reach the right populations. Then you need to prove it with artifacts: training assignments, attendance/completions, targeted communications, role cards/runbooks, and exercise participation records.

If you use Daydream (or any GRC workflow system), the win is consistency: automated role-based training assignments, centralized evidence capture, and an auditable trail that ties each workforce segment to the specific BC expectations they must know.

Regulatory text

ISO 22301:2019 Clause 7.3 (Awareness) states: “Persons doing work under the organization's control shall be aware of the BC policy, their contribution, implications of not conforming, and their role during disruption.” (ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements)

What the operator must do

You must implement a managed process that ensures:

1. BC policy awareness: people can find, recognize, and understand the intent and key commitments of the BC policy.
2. Contribution awareness: people understand how their work supports continuity outcomes (for example, meeting recovery objectives, maintaining critical activities, following incident communications).
3. Nonconformance implications: people understand what “not following BC requirements” means in your organization (operational impact, escalation, and potential disciplinary or contractual consequences).
4. Disruption role awareness: people know what they are expected to do during a disruption, including who decides, who communicates, and how to execute workarounds.

This is not limited to full-time employees. It is about anyone doing work under your control.

Plain-English interpretation (what “awareness” means in practice)

Awareness means the right people can answer, without guessing:

• “What is our business continuity policy trying to achieve?”
• “What do I do that supports continuity and recovery?”
• “What happens if I ignore BC procedures during an incident?”
• “If a disruption occurs, what is my role in the first hours and days?”

A good audit outcome is not “everyone completed training.” A good audit outcome is credible, role-specific readiness backed by evidence.

Who it applies to (entity and operational context)

Entities

Any organization implementing or certified against ISO 22301.

In-scope populations (“persons doing work under the organization’s control”)

Build scope using control, not payroll status:

• Employees (all functions, all locations)
• Contractors and temporary workers
• Key third parties performing critical activities under your operational control (for example, on-site facilities support, call center staff under your procedures, outsourced IT operations where your incident instructions must be followed)

Operational contexts that trigger deeper role specificity

You should expect more scrutiny where:

• You have designated incident roles (incident commander, crisis communications, IT recovery leads)
• You run critical activities with tight recovery requirements
• You rely on manual workarounds during system outages
• You have regulated operations where customer communications and service restoration have strict expectations

What you actually need to do (step-by-step)

Step 1: Define the awareness scope and role model

Create a simple role model that matches how your org responds to disruption. Typical buckets:

• All personnel: baseline awareness (policy, reporting channel, basic expectations)
• Managers: escalation, decision support, workforce coordination
• Incident/Crisis team: command structure, communications cadence, situation reporting
• Critical activity owners/operators: executing workarounds and recovery steps
• IT/Facilities/Security: technical recovery actions and site access/safety procedures
• Customer-facing teams: customer messaging rules and service restoration updates

Output artifact: Awareness scope and role matrix (role → required awareness topics → training/briefing method).

Step 2: Translate plans into job-relevant “do this” instructions

Most BC plans are too long for awareness. Convert them into role-friendly assets:

• Role cards (one page): what to do, who to call, where to find updates, what not to do
• Team disruption checklists: first actions, handoffs, required logs
• Communication rules: approved channels, who can speak externally, how to report status

Keep the mapping explicit: each role card should reference the BC policy and the relevant plan section.

Output artifacts: role cards/runbooks, quick-reference guides.

Step 3: Build an awareness and training method per role

Use multiple channels; do not depend on a single annual module.

• All personnel: short training + intranet BC page + periodic reminders
• Managers: scenario-based briefings focused on escalation and staffing decisions
• Incident roles: facilitated tabletop exercises and call-tree drills
• Critical activity teams: walkthroughs of workarounds and recovery tasks

Design principle: the closer someone is to execution during disruption, the more you need hands-on practice rather than passive reading.

Output artifacts: training content, assignment logic, exercise schedule.

Step 4: Communicate “implications of not conforming” in a way HR and Procurement can support

“Implications” must be real, not implied. Align language across:

• HR policies (disciplinary approach for employees)
• Contractor/third-party terms (contractual obligations to follow incident procedures and participate in exercises where applicable)
• Operational consequences (safety risks, data handling risks, service impacts)

This does not require threatening language; it requires clarity: ignoring incident comms rules or workarounds creates operational harm and may trigger corrective action.

Output artifacts: policy references, contract clause library (where applicable), onboarding acknowledgments.

Step 5: Assign, track, and remediate

Create governance that answers:

• Who assigns awareness activities?
• How do you ensure new hires/contractors are covered?
• What happens when someone misses training or changes roles?

In Daydream, this is typically handled through workflow assignments tied to HR feeds or access groups, with an evidence repository for completions and acknowledgments.

Output artifacts: training assignment records, completion reports, exception handling logs.

Step 6: Prove effectiveness through testing and feedback

Clause 7.3 is “awareness,” but auditors will still ask whether awareness works in practice. The cleanest proof is:

• Participation in exercises
• Post-exercise evaluations that identify awareness gaps
• Corrective actions and follow-through (updates to role cards, training refresh)

Output artifacts: exercise attendance, after-action reports, corrective action tickets, updated materials.

Required evidence and artifacts to retain

Aim for evidence that is role-based, current, and attributable (who, what, when).

• BC policy publication record (version, approval, where posted)
• Workforce/role scoping document (who is in which awareness tier)
• Training/briefing materials (slides, LMS module, manager briefing guide)
• Assignment and completion evidence (LMS exports, sign-in sheets, attestations)
• Role cards/runbooks and distribution method
• Exercise artifacts (invites, attendance, scenarios, after-action reports)
• Records of communications (BC awareness campaign messages, intranet announcements)
• Nonconformance handling references (HR policy links, contract language where relevant)
• Exceptions and remediation evidence (overdue follow-up, retraining, coaching)

Common exam/audit questions and hangups

Auditors and certification bodies tend to push on these points:

1. “Who is included in ‘persons doing work under your control’?”
   Hangup: teams exclude contractors or critical outsourced functions without a rationale.

2. “Show me that people know their role during disruption.”
   Hangup: you only have policy attestations, not role-specific instructions or exercise proof.

3. “How do you keep awareness current after org changes?”
   Hangup: no trigger for role changes, reorganizations, or new critical activities.

4. “What are the implications of not conforming, and where is that defined?”
   Hangup: vague statements without linkage to HR/contractual mechanisms.

5. “How do you know awareness is effective?”
   Hangup: you measure completions but have no exercises, no knowledge checks, no gap tracking.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating awareness as a one-time annual training.
  Fix: add event-driven updates (role change, plan change, post-incident refresh) and periodic comms.

• Mistake: Pushing the same content to everyone.
  Fix: create tiers. Critical roles need checklists and practice, not generic policy summaries.

• Mistake: No operational tie to disruption execution.
  Fix: require evidence that teams can perform key actions (tabletops, call-tree drills, walkthroughs).

• Mistake: Ignoring third parties under your control.
  Fix: document which third parties are in scope, then contractually require participation and awareness where applicable.

• Mistake: Evidence scattered across email and shared drives.
  Fix: centralize evidence in a controlled repository. Daydream can hold a clause-mapped evidence set with clear ownership and review prompts.

Enforcement context and risk implications

No public enforcement cases were provided for this ISO clause. Treat the risk as operational and audit-driven:

• During an incident, lack of awareness causes delays, conflicting communications, unsafe decisions, and recovery failures.
• During certification audits, awareness gaps commonly show up as nonconformities where training is generic, role instructions are missing, or third-party coverage is unclear.

A practical 30/60/90-day execution plan

First 30 days (Immediate)

• Confirm the BC policy is current, approved, and accessible.
• Build the role-based awareness matrix (tiers, audiences, topics, owners).
• Inventory disruption roles and existing materials (plans, call trees, runbooks).
• Decide how you will track completion and evidence (LMS/GRC repository such as Daydream).

Days 31–60 (Near-term)

• Draft and publish role cards for incident roles and critical activity teams.
• Launch baseline awareness for all personnel (policy + reporting/escalation channel).
• Align “implications of not conforming” with HR and Procurement language.
• Stand up reporting: completion status by role, exceptions, and remediation workflow.

Days 61–90 (Operationalize)

• Run at least one exercise format appropriate for your org (tabletop or functional walkthrough) and capture after-action outputs.
• Update training and role cards based on exercise gaps.
• Formalize ongoing triggers: onboarding, role change, plan change, post-incident refresh.
• Prepare an audit-ready evidence pack mapped to Clause 7.3.

Frequently Asked Questions

Does “awareness” mean everyone must read the full business continuity plan?

No. Clause 7.3 requires awareness of the BC policy, individual contribution, implications of nonconformance, and disruption roles (ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements). Most personnel need short, practical guidance; detailed plans should be targeted to responders and critical teams.

Are contractors and third parties in scope?

Yes, if they are “doing work under the organization’s control” (ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements). Document which third parties are in scope and ensure they receive role-appropriate instructions and acknowledgments.

What’s acceptable evidence if we don’t have an LMS?

Sign-in sheets, dated briefings, distribution logs for role cards, and attestations can work if they are controlled, attributable, and retrievable. The audit risk is fragmentation; a single repository (for example, Daydream) reduces gaps.

How detailed do “implications of not conforming” need to be?

They need to be explicit enough that staff understand consequences and auditors can see the mechanism. Reference the relevant HR policy for employees and contract terms or SOW obligations for contractors and in-scope third parties.

How do we show role awareness for incident responders?

Maintain role cards/runbooks, exercise participation records, and after-action reports that show responders practiced their responsibilities and updated materials after identified gaps.

We have multiple sites and business units. Do we need different awareness materials?

If disruption roles, escalation paths, or workarounds differ, you need localized role instructions. Keep the BC policy consistent, then tailor role cards, call trees, and site-specific procedures.