ISO releases ISO 22301:2019, the revised Business Continuity Management Systems Standard
On October 31st, 2019, ISO published the revised version of the ISO 22301 standard for Business Continuity Management Systems. ISO 22301:2019 specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
On October 31st, 2019, ISO published the revised version of the ISO 22301 standard for Business Continuity Management Systems.
ISO 22301:2019 specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. These requirements are applicable to organizations of all types and sizes, given that they:
- Aim to implement, maintain, and improve a BCMS
- Aim to achieve conformity with business continuity policies
- Aim to ensure the delivery of services and products following a disruption
- Aim to use BCMS as a strategy of improving organizational resilience
The technical committee that revised ISO 22301:2012 focused on clarifying and simplifying the language used, rather than focusing on changing the standard structure. The reason for that is because ISO 22301:2012 had already the high-level structure integrated.
Some of the key changes in the revised ISO 22301 standard are the following:
- The term “risk appetite” is no longer included in the standard. This term has been defined in the 2012 standard as the “amount and type of risk that an organization is willing to pursue or retain”.
- The term “impact” has been introduced.
- Societal Security has been replaced with Resilience in the standard objectives. The Technical Committee 223 (Societal Security) has been integrated into Technical Committee 292 (Security & Resilience).
- Required documents have been reduced, although related clauses are still required.
- The standard gives more freedom to organizations to implement context-specific approaches, thereby recognizing that different organizations have different needs.
- Resource identification is now dependent on solutions for business continuity rather than strategies. As a result, Section 8.3 is now called “Business Continuity Strategies and Solutions” instead of “Business Continuity Strategy”. This new approach encourages organizations to find specific solutions for different scenarios identified.
- Business Continuity Planning highlights the importance on providing assistance to the individuals involved in incident response.
- Clause 5 – Leadership, Clause 9 – Performance Evaluation and Clause 10 – Improvement were updated and simplified
- The Introductory Guidance Information has been transferred to ISO 22313.
- Clause 6.3 was added to the standard, setting forth the requirements for change planning.
Clause 6.3
The most significant change was the addition of Clause 6.3. Clause 6.3 sets out the requirements for planning of changes in the business continuity management system. ISO urges organizations to consider the following when planning for such changes:
- The reason for the change and its impact
- The integrity of the business continuity management system
- Resource availability
- The designation of roles and responsibilities
Transition to ISO 22301:2019
ISO 22301:2012 was one of the first standards to have been developed using the High-Level Structure, a unified structure that has been adopted in different ISO management system standards after 2012. Given the already established structure, ISO 22301:2019 focused on making the standard language consistent and simplified.
For organizations, the transition to ISO 22301:2019 will not be a complex transition project, as may be the case with other standards. The new standard allows organizations to employ more efficient business continuity plans by focusing on scenario-specific solutions rather than a unified business continuity strategy. Resources are also identified based on solutions for business continuity rather than strategy. The simplified language also helps organizations understand the standard better to the context of their own needs. For instance, the term “risk appetite” was rightfully removed because business continuity management is concerned with the level of impact that would disrupt the organization’s delivery of products and services, not the amount of risk that the organization is willing to take. Therefore, the term “impact” was introduced.
The revision of ISO 223019:2012 shows how efforts have been made to bring the standard closer to the needs of organizations, strengthening the usefulness of business continuity management. Organizations certified with ISO 22301:2012 have a three-year transition period to adapt the changes made and comply with the ISO 22301:2019 standard.