ISO has published a new edition of ISO 22301 on Business continuity management systems

Natural disasters, fires, supply chain issues or cyber-attacks are just some of the many unexpected yet possible threats to the running of any business. Consistent and robust business continuity planning for what to do when disaster strikes is the best defense

Uncertainty has never been more certain and business disruption is a key area of concern for most executives, but, managed well, the benefits and opportunities are many. Having effective business continuity plans and capabilities in place is key.

ISO 22301, Security and Resilience — Business continuity management systems — Requirements is the world’s first International Standard for implementing and maintaining an effective business continuity plan.

It enables an organization to have a more effective response and a quicker recovery, thereby reducing any impact on people, products and the organization’s bottom line.

It has recently been updated to remain relevant and up to date and continue to meet market needs.

James Crask, Convenor of the ISO group of experts that developed the standard said it brings together some of the world’s best practice to help organizations of any kind respond to and recover from disruptions effectively.James Crask

“A resilient organization is one that is able to adapt to change, is aware of where their vulnerabilities lie and have plans in place should things go wrong,” he said.

 “Recovering quickly from a business disruption requires a deep understanding of what is important to an organization, easy to follow response plans and staff that know their role in an incident.

 “ISO 22301 helps organizations do all of that, thereby providing reassurance to their clients, suppliers, regulators and other stakeholders that they are not only prepared for disruption but are in shape for the future.”

Key improvements to the latest version of ISO 22301 include an improved structure and terminology to improve understanding of what is required and updates to remain in line with all other ISO management system standards.

ISO 22301:2019, Security and Resilience — Business continuity management systems — Requirements , is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.

Pressrelease from ISO, https://www.iso.org/news/ref2446.html 

 

ISO 22301 – Frequently Asked Questions

1.     Why was the ISO 22301 revised?

All ISO standards need to be periodically revised to reflect the current collective view of global good practice. To ensure this happens ISO sets a review cycle of 5 years.

In the case of ISO 22301, the first release in 2012 presented a solid structured approach for implementing and maintaining a management system for business continuity. Since then, a combination of the experience gained in using the standard and the way we now think about business continuity drove a need to revise the document.  

2.     What are the main changes in the new version compared to the 2012 version?

There are 3 main areas of change:

  • Terminology – modernised key Business Continuity terms to reflect how experts around the world now use those terms in practice.
  • Structure – Sections have been re-positioned, merged or removed (due to repetition) to more clearly separate the steps required to deliver Business Continuity capability from steps required to implement and maintain the management system.
  • Simplification – The review has resulted in a document that is easier to read and adopt. For organizations seeking certification, the new version requires adherence to fewer ‘shall’ statements.

3.     Have any new Requirements been included in the revised version (and therefore be subject to auditing from Certification bodies)?

No new requirements have been added. 

4.     Who was involved in the revision ?

ISO 22301 was revised by a working group of ISO Technical Committee 292 on Security and resilience (ISO/TC 292).  The process included input from a wide range of international experts from over 40 countries.  In addition, draft versions were issued for public comment ensuring that a wide variety of views were captured for consideration.

 5.     When will ISO 22313 be revised?

ISO 22313 is progressing through its review one step behind ISO 22301 and is anticipated for publication in early 2020.  

6.     Why is the publication of ISO 22313 later than ISO 22301?

The requirements contained in ISO 22301 needed to be agreed prior to reviewing the guidance presented in ISO 22313.  This means the process of reviewing ISO 22313 is running slightly behind the requirements document.  This approach ensures the guidance available to practitioners accurately aligns to the requirements set out in ISO 22301.

 7.     My organization’s Regulator(s) expect us to align with ISO 22301; will the revision have an impact on this?

You should contact your Regulator/ relevant authority to discuss this. Given no new requirements have been added to ISO 22301 it is unlikely there will be a significant impact.

 8.     Does ISO 22301 still apply to all organizations (in scale, type and industry)?

Yes, the scope of the Standard covers all organizations.

9.     If my organization is already certified against the 2012 version, what happens now?

There is no immediate impact on organisations that already hold certification.

Organisations will have 3 years to assess the impact of the new standard on the organisation.  Since the changes have not introduced any new requirements there should be a minimal impact on the certification process.

10.  I am part way through a certification process using the 2012 version, will the 2019 version affect that?

No, you will be free to complete the certification process using the previous version and then update it when it requires renewal (after 3 years). 

However, in discussion with your certification body you may decide to pause the process and use the new Standard. 

 11.  Can I still use the 2012 version?

Technically that is possible though anyone purchasing the Standard after the revision will buying the 2019 version.  Moving to the new version will ensure your Business Continuity Management System continues to be aligned with the latest good practice.


See also [ISO press release], [Standard description], [ISO Store]

Upcoming events

10 December, Zoom
Communication Group meeting 

9-12 December in Lausanne, Switzerland 
Working Group 4 meeting

21-26 June, 2020, in Berlin, Germany
8th ISO/TC 292 plenary meeting