by Lisa DuBrock
In May 2012, the International Organization of Standards (ISO) released a new standard for Societal Security, ISO 22301:2012. This standard is intended to provide the global continuity community a baseline standard for best practices in business continuity management systems.
The new standard is expected in the near future to replace BS 25999-2:2007. This standard developed by the British standards Institution is closely aligned with the Business Continuity Institute’s – Good Practices Guideline.
It is expected that in the near future, BS 25999 will be retired. The United Kingdom Accreditation Service (UKAS) has already issued notice that those organizations which received their certification to BS 25999-2 under UKAS will have a period of time to transition their certification to the ISO 22301 standard. This can be accomplished during a normal continuing assessment review.
So what are some of the differences between BS 25999-2 and ISO 22301?
I get a lot of questions from clients in my consulting practice and no matter who I talk to they all start with the question above. While no one yet has extensive experience with ISO 22301, I have had extensive experience both implementing BS 25999 and providing Technical Expertise on the standard during certification assessments.
As I review the standard and through discussions I’ve had, I see a few interesting things that I’d like to point out in this new ISO standard.
Objectives and monitoring performance – While continuity objectives were required in BS 25999, the requirement for them to be measurable was not explicitly stated. ISO 22301 has rectified this by placing emphasis on measurable objectives as well as emphasis on monitoring performance
Terms and Definitions – The terms and definition section (Clause 3) has been expanded significantly. It now includes reference to terms that have been common in business continuity such as RPO (Recovery Point Objective) even when the term is not explicitly used in the remaining clauses.
Legal and Regulatory Requirements – Similar to ISO 27001 Annex A.15, ISO 22301 places a requirement on the organization to establish, implement, and maintain a procedure to identify, have access to and assess the applicable legal and regulatory requirements for its organization as they relate to continuity of its operations, products, services, and the interests of interested parties.
Communication – There is an expanded communication section within the new standard which specifically requires communication plans for internal and external interested parties.
Business Continuity Strategy – I always thought that BS 25999 did an excellent laying out a framework for Business Impact Analysis and Risk Assessment, however I thought it was rather light on detailing Business Continuity Strategy opting instead for a section titled ‘Determining Choices’ and then a few statements on Strategy. ISO 22301 goes into much more detail on business continuity strategy.
Alignment to other Management System Standards – Many believed that BS 25999 was not a fully integrated management system standard; although many companies implemented BS 25999 as if it was a full management system ISO 22301. ISO 22301 follows the new requirements and alignment for all management system standards and is the 1st new standard to adopt these practices.
While the listing above is by no means exhaustive, it gives the reader who may be considering implementing their Business Continuity program either in compliance to or conformity with the new ISO 22301 standard a few key areas to be aware of.
I welcome your thoughts and comments about this new standard and how you see it aligning with BS 25999.