The new version of ISO 22301, the international business continuity management standard, was issued recently. International standards are updated regularly and the timing of 22301 helped align the standard under the Security and Resilience technical committee rather than the Societal Security committee.
This may be a bit of “inside baseball”; however, it’s important to properly align the standard in the ISO world. This is not a revolutionary change, but an important one. Rest assured that ISO 22301 still aligns neatly with ISO 9001 and ISO 27001. The 4,000 organizations that hold an ISO 22301 certificate should not fret; their certificates are valid. They will re-certify as scheduled to the ISO 22301:2019 standard as there will be a transition period of three years.
ISO 22301 – what are the changes?
Within, the standard changes are limited. Most of the changes have been made for clarity and simplification. You’ll find that Clause 8 Operation has been reshuffled and is now clearer. The terminology has been simplified and is much more consistent. Business continuity strategy is expressed as ‘business continuity strategy and solutions’ which tells me that the standard writers wanted to get back to the basics of finding solutions for specific risks and impacts. It now reads, “The organization shall identify and select business continuity strategies based on the outputs from the business impact analysis and risk assessment. The business continuity strategies shall be comprised of one or more solutions.” Much more pragmatic if you ask me.
Other changes include:
- Increased specific focus on planning for changes to the BCMS
- Business continuity plans better link to supporting the teams and people that will respond to a business interruption
- Less prescriptive procedures and documentation required
- Risk appetite has been removed from the standard
- Top management support – both versions require top management support however the revised standard focuses on what is needed to maintain an effective business continuity management system
A Pragmatic Standard
Although the changes have been minor, the strategy that the committee used is clear. Develop a pragmatic standard that reflects the current state of business continuity planning and address the requirements in a clear manner. This certainly will help inspire trust in your ability to respond to and recover from a business interruption as well as contribute to the overall resilience of the organization.
Want to see Assurance in action? Watch our recorded demo:
Topics: Business Continuity
Written by Mike Jennings, VP of Advisory Services
Mike leads the Assurance Advisory Services team. During his more than 26 years of business continuity management, disaster recovery and enterprise risk management experience, he has mentored clients and helped them solve their program needs. Mike has worked extensively with clients throughout the world on their BCM programs, including their underlying incident management and crisis management programs.