Less text, more flexibility; less prescriptiveness, more pragmatism – that, in a nutshell, is the new version of the ISO 22301 standard for Business Continuity Management Systems (BCMS). Although the revision does not bring drastic changes, the new version of the standard is a definite improvement and will bring even more value to its users.
Since its initial publication in 2012, the ISO 22301 standard has become the international benchmark for business continuity management systems. According to an ISO survey, over 4000 organizations hold an ISO 22301 certificate. The popularity of the standard has spread among very diverse industries – to name but a few, DQS has certified banks, chemical plants, IT service providers, as well as manufacturers of car parts.
Considering this popularity, it is only appropriate for ISO to review its standard and incorporate the learnings of its first years of use. In January 2019, ISO published the ISO/DIS 22301:2019 standard, which is a draft of the new version. Although there can be changes between the draft and the final version, it already gives a clear idea of what to expect.
The Good News: Changes are Limited
Let’s start with the main point: if you are already certified to ISO 22301:2012, you should have no problem whatsoever with the transition. A side-by-side comparison shows that there have been no major structural changes to the standard.
One of the main reasons that revisions of ISO management system standards have been challenging in the last couple of years has been the adoption of the High-Level Structure, which is a unified structure and core text for all ISO management system standards. However, the 2012 version of ISO 22301 already had the High-Level Structure – it was one of the very first ISO standards to feature this new structure.
Therefore, rather than rewriting the whole standard, the working group could focus on the wording and the clarity. Many redundant sections have been curtailed, the definitions have become more consistent and the text has become more logical.
The Great News: Back to the Essence of BCM
What is particularly interesting is how many requirements have been stripped back to their essence. Section 4.1 is a good example: whereas the 2012 version prescribes what an organization needs to do (and document!) in order to understand the organization and its context, the new version merely states the need to “determine external and internal issues” without specifying what this entails. It does not say which aspects need to be taken into account, nor does it include a requirement to document this process. Something similar is happening in section 7.4 on communication: the new version is markedly less prescriptive.
Another requirement that has been trimmed is the involvement of top management (5.2). Both the old and the new version require top management to commit to the BCM policy. However, whereas the old version went as far as to require top management to “actively engage in exercising and testing”, the new version is more pragmatic in its approach and focuses on what is really needed to maintain an effective BCMS.
Beside a large number of minor adjustments with little or no impact for certified sites, there are a few changes worth highlighting:
- One of the very few new requirements is clause 6.3, which requires organizations to make changes to the BCMS “in a planned manner”. Although technically this requirement is new, the content of the clause should not be a surprise to anyone.
- Section 8.2.2 on Business Impact Analysis (BIA) now stipulates that the BIA should take impact categories as a starting point. While many organizations are already defining impact categories in their BIA, the new version of the standard makes this mandatory.
- Section 8.3 has been renamed from “Business Continuity Strategy” to “Business continuity strategies and solutions”. This reflects the increased pragmatism of the standard: the focus is not so much on developing a grand strategy to ensure business continuity, but rather on finding solutions for specific risks and impacts:
“The organization shall identify and select business continuity strategies based on the outputs from the business impact analysis and risk assessment. The business continuity strategies shall be comprised of one or more solutions.”
- The term “risk appetite” has been removed from the standard. In the 2012 version, “risk appetite” was defined as the “amount and type of risk that an organization is willing to pursue or retain”. The new standard, however, is right to abolish the term. Not only is “risk appetite” a rather subjective issue, it is also ultimately irrelevant: what matters is not the risk an organization is willing to take, but the level at which the impact of not resuming activities would become unacceptable to an organization.
Revision of the ISO 22313 Guidance
By trimming down the standard to its essence, ISO has achieved a more clear separation between the requirements (what) and the guidance (how). The guidance document ISO 22313, which dates back to 2012, will also be updated to reflect the changes in the ISO 22301 standard. It is expected to be published shortly after the new version of ISO 22301 is released.
Timeline and Transition
The new version of ISO 22301 is currently at the draft stage. Depending on the feedback to the draft, the technical committee responsible for the revision expects the standard to be published in the Fall of 2019, as ISO 22301:2019.
After the publication, there will be a transition period of three years. This would mean that all certificates to the 2012 version would ultimately lose their validity in the Autumn of 2022.