ISO 22301 Security and resilience - Business continuity management systems - Requirements

This International Standard provides the requirements of a Business Continuity Management System that contributes to making organizations, in both public and private sectors, more resilient. It provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It helps organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruption of any type.

This is the 2nd edition of ISO which replaces the first version which was first published in 2012. The first version of the standard has been widely used all over the world and adopted by numerous countries.

Incidents can disrupt an organization at any time and applying ISO 22301 ensures that organizations can respond and continue its operations. Incidents take many forms ranging from large scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact and that makes business continuity management relevant at all times. This has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and disruptive incidents.

Incidents can disrupt an organization at any time and applying ISO 22301 will ensure that organizations can respond and continue its operations. Incidents take many forms ranging from large scale natural disasters and acts of terror to technology-related accidents and environmental incidents. However, most incidents are small but can have a significant impact and that makes business continuity management relevant at all times. This has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and disruptive incidents.

ISO 22301 may be used for third-party certification as well as for self assessment. To help users get the best out of the standard, it includes short and concise requirements describing the central elements of BCM.

ISO 22301 assists organizations in the design of a BCMS that is appropriate to its needs and meets its stakeholders’ requirements. These needs are shaped by legal, regulatory, organizational and industry factors, the organization's products and services, its size and structure, its processes, and its stakeholders.

ISO 22301 addresses business continuity management to contribute making organizations in both public and private sectors more resilient. It provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It helps organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruption of any type. ISO 22301 assists organizations in the design of a BCMS that is appropriate to its needs and meets its stakeholders’ requirements. These needs are shaped by legal, regulatory, organizational and industry factors, the organization's products and services, its size and structure, its processes, and its stakeholders.

Saul Midler (Australia), the project leader responsible for the revision of ISO 22301, explains:Saul Midler

"It took a global community of more than 40 Business Continuity experts 22 months to revise ISO22301. In addition to the thousands of hours of quiet reading, contemplating and writing and the hundreds of hours on skype/zoom, the project team met face to face in London, Sydney, Stavanger and Delft to bring ISO22301 up to date. I’ve been asked many times, why – why put all this effort in, what’s the benefit?  To answer this I need to slightly rephrase the question to: “who is ISO22301’s audience?”  In every meeting we had, I reminded the team of one of our key mission elements: The Audience. We didn’t write the 2019 version of the standard for experts; we wrote it for the vast majority of people who are not experts and needed clarity over the process to protect their organization from operational disruption. We want inexperienced people to stop using intuition or a mash of collected ideas from the internet. Business Continuity has and will continue to mature, and we wanted to ensure that everyone had access to current global thought leadership. We also wanted to make it easier for an organisation to pursue certification if that is important to them.

Our standard (yes we’re very proud of the final product) provides clarity over the terms we use and what they mean. We improved the clarity around separating the process for producing continuity capability and plans from the process for keeping those capabilities and documents in tune with the changing needs of the organisation. Why is this important?  Because the organisation’s structure, geography, technology, suppliers, skills and products and services change over time. The new version will also provide greater clarity for another class of users I call the watchdogs: Regulators, Auditors, Risk Managers etc anyone that has an interest to confirm the organisation is following global best practice for protecting the organisation from disruption.

ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat,  respectively through the ISO Store or by contacting the Marketing, Communication & Information department.

ISO 22301 – Frequently Asked Questions

1.     Why was the ISO 22301 revised?

All ISO standards needs to be periodically revised to reflect the current collective view of global good practice. To ensure this happens ISO sets a review cycle of 5 years.

In the case of ISO 22301, the first release in 2012 presented a solid structured approach for implementing and maintaining a management system for business continuity. Since then, a combination of the experience gained in using the standard and the way we now think about business continuity drove a need to revise the document.  

2.     What are the main changes in the new version compared to the 2012 version?

There are 3 main areas of change:

  • Terminology – modernised key Business Continuity terms to reflect how experts around the world now use those terms in practice.
  • Structure – Sections have been re-positioned, merged or removed (due to repetition) to more clearly separate the steps required to deliver Business Continuity Capability from steps required to implement and maintain the management system.
  • Simplification – The review has resulted in a document that is easier to read and adopt. For organizations seeking certification, the new version requires adherence to fewer ‘shall’ statements.

3.     Have any new Requirements been included in the revised version (and therefore be subject to auditing from Certification bodies)?

No new requirements have been added. 

4.     Who was involved in the revision ?

ISO 22301 was revised by a working group of ISO Technical Committee 292 on Security and resilience (ISO/TC 292).  The process included input from a wide range of international experts from over 40 countries.  In addition, draft versions were issued for public comment ensuring that a wide variety of views were captured for consideration.

 5.     When will ISO 22313 be revised?

ISO 22313 is progressing through its review one step behind ISO 22301 and is anticipated for publication in early 2020.  

6.     Why is the publication of ISO 22313 later than ISO 22301?

The requirements contained in ISO 22301 needed to be agreed prior to reviewing the guidance held in ISO 22313.  This means the process of reviewing ISO 22313 is running slightly behind the requirements document.  This approach ensures the guidance available to practitioners accurately aligns to the requirements set out in ISO 22301.

 7.     My organization’s Regulator(s) expect us to align with ISO 22301; will the revision have an impact on this?

You should contact your Regulator/ relevant authority to discuss this. Given no new requirements have been added to ISO 22301 it is unlikely there will be a significant impact.

 8.     Does ISO 22301 still apply to all organizations (in scale, type and industry)?

Yes, the scope of the Standard covers all organizations.

9.     If my organization is already certified against the previous version from 2012, what happens now?

There is no immediate impact on organisations that already hold certification.

Organisations will have 3 years to assess the impact of the new standard on the organisation.  Since the changes have not introduced any new requirements there should be a minimal impact on the certification process.

10.  I am part way through a certification process using the previous version, will this revision affect that?

No, you will be free to complete the certification process using the previous version and then update it when it requires renewal (after 3 years). 

However, in discussion with your certification body you may decide to pause the process and use the new Standard. 

 11.  Can I still use the 2012 version?

Technically that is possible though anyone purchasing the Standard after the revision will buying the 2019 version.  Moving to the new version will ensure your Business Continuity Management System continues to be aligned with the latest good practice.

Upcoming events

10 December, Zoom
Communication Group meeting 

9-12 December in Lausanne, Switzerland 
Working Group 4 meeting

21-26 June, 2020, in Berlin, Germany
8th ISO/TC 292 plenary meeting