The first edition of ISO 22301 was launched in May 2012. It was the first truly internationally accepted standard on business continuity, and it consists of requirements to implement a Business Continuity Management System according to ISO Annex SL. As such, it stood in line with its prominent predecessors such as ISO 9001 and ISO/IEC 27001.
What is good in ISO 22301-2019
Here is a summary of current modifications and similarities as compared to the original version:
The PDC model diagram was deleted, as diagrams are hard to standardize and typically lead to endless discussions and interpretations.
Clauses 4 to 10 cover the components of PDCA, as before.
There are no normative references in this document.
The terms and definitions were updated to include the ISO Online Browsing Platform and the IEC Electropedia; both are web-based information platforms.
In clause 3 “Terms and Definitions†several terms were modified, redefined, removed and added. Major changes include:
One of the main reasons that revisions of ISO management system standards have been challenging in the last couple of years has been the adoption of the High-Level Structure, which is a unified structure and core text for all ISO management system standards. However, the 2012 version of ISO 22301 already had the High-Level Structure – it was one of the very first ISO standards to feature this new structure.
Therefore, rather than rewriting the whole standard, the working group could focus on the wording and the clarity. Many redundant sections have been curtailed, the definitions have become more consistent and the text has become more logical.
ESSENCE OF BCM ISO 22301-2019
What is particularly interesting is how many requirements have been stripped back to their essence. Section 4.1 is a good example: whereas the 2012 version prescribes what an organization needs to do (and document!) in order to understand the organization and its context, the new version merely states the need to “determine external and internal issues†without specifying what this entails. It does not say which aspects need to be taken into account, nor does it include a requirement to document this process. Something similar is happening in section 7.4 on communication: the new version is markedly less prescriptive.
Another requirement that has been trimmed is the involvement of top management (5.2). Both the old and the new version require top management to commit to the BCM policy. However, whereas the old version went as far as to require top management to “actively engage in exercising and testingâ€, the new version is more pragmatic in its approach and focuses on what is really needed to maintain an effective BCMS.
OTHER CHANGES PROPOSED IN ISO 22301-2019
Beside a large number of minor adjustments with little or no impact for certified sites, there are a few changes worth highlighting:
One of the very few new requirements is clause 6.3, which requires organizations to make changes to the BCMS “in a planned mannerâ€. Although technically this requirement is new, the content of the clause should not be a surprise to anyone.
Section 8.2.2 on Business Impact Analysis (BIA) now stipulates that the BIA should take impact categories as a starting point. While many organizations are already defining impact categories in their BIA, the new version of the standard makes this mandatory.
Section 8.3 has been renamed from “Business Continuity Strategy†to “Business continuity strategies and solutionsâ€. This reflects the increased pragmatism of the standard: the focus is not so much on developing a grand strategy to ensure business continuity, but rather on finding solutions for specific risks and impacts:
What is removed in ISO 22301-2019
The term “risk appetite†has been removed from the standard. In the 2012 version, “risk appetite†was defined as the “amount and type of risk that an organization is willing to pursue or retainâ€. The new standard, however, is right to abolish the term. Not only is “risk appetite†a rather subjective issue, it is also ultimately irrelevant: what matters is not the risk an organization is willing to take, but the level at which the impact of not resuming activities would become unacceptable to an organization.
REVISION OF THE ISO 22313 GUIDANCE
By trimming down the standard to its essence, ISO has achieved a more clear separation between the requirements (what) and the guidance (how). The guidance document ISO 22313, which dates back to 2012, will also be updated to reflect the changes in the ISO 22301 standard. It is expected to be published shortly after the new version of ISO 22301 is released.
TIMELINE AND TRANSITION
The new version of ISO 22301 is currently at the draft stage. Depending on the feedback to the draft, the technical committee responsible for the revision expects the standard to be published in the Fall of 2019, as ISO 22301:2019.
After the publication, there will be a transition period of three years. This would mean that all certificates to the 2012 version would ultimately lose their validity in the Autumn of 2022.
Clause 4 of ISO 22301-2019
Clause 4 “Context of the organization†received only minor modifications. The project team tried to create introductory sub-clauses at the beginning of each clause. As such, for example, sub-clause 4.1 is an introduction to clause 4 and sub-clause 4.2.1 (general) is an introduction to sub-clause 4.2
Clause 5 of ISO 22301-2019
Clause 5 of leadership was streamlined.
Clause 6 of of ISO 22301-2019
Clause 6 of ISO 22301-2019 is porposed to be changed.
Clause 7 of ISO 22301-2019
Clause 7 on support was streamlined.
Clause 8 of of ISO 22301-2019
Clause 8 (operation) took a lot of time to modify, as expected, addressing the core of the matter of business continuity. While the structure of the sub-clauses was not modified a lot, new additions to the content were heavily discussed and, hopefully, improved to better suit the requirements of the practitioners who use this international standard. For example, sub-clause 8.2.2 “Business impact analysis†was enhanced and a reference to ISO 22318 (supply-chain continuity) was added. Notes referring to the terms MTPD and RTO (both removed from the clause on terms and definitions) were added. Sub-clause 8.3, formerly called “Business continuity strategy†was renamed “Business continuity strategies and solutionsâ€, highlighting (in 8.3.2) the need for the identification and selection of strategies and solutions. Clause 8.4 (formerly called “Establish and implement business continuity proceduresâ€) has been renamed to “Business continuity plans and proceduresâ€, focusing on “Response structure†(8.4.2), “Warning and communication†(8.4.3), “Business continuity plans†(8.4.4) and “Recovery†(8.4.5). A sub-clause on “Exercise program†(8.5) replaces the sub-clause formerly called “Exercising and testingâ€.
Clause 9 of of ISO 22301-2019
Clause 9 on “Performance evaluation†and clause 10 “Improvement†were streamlined, also taking into account the new requirements by ISO on how these clauses should look in order to be aligned with all ISO system management standards
Key changes to ISO / DIS 22301-2019
Key changes to ISO/DIS 22301
Content in clause 8 has been reordered, duplication removed and terminology is simplified and more consistent
References to risk appetite have been removed
Introductory guidance information has been removed and placed in ISO 22313 the BCMS guidance document
More specific focus on planning for changes to the BCMS
Less prescriptive procedures and documentation requirements
Business continuity strategy is more clearly expressed as “Business continuity strategy and solutionsâ€
Business continuity plans now clearly link to supporting the teams and people that will respond to a disruption
The anticipated benefits of the updated ISO 22301-2019 standard
Inspire trust in your ability to continue operations throughout a disruption
Protect your reputation
Respond to legislative requirements
Reduce cost of disruption
Create a competitive advantage
Contribute to Organizational Resilience
Sanjeev Sharma We are Certified by TNV since last 6 years and we are absolutely happy and satisfied with the systematic approach of the Team. Best Wishes.
»
PT. Sun Health Care As always it was an excellent input that we got from TNV, looking forward to continuing a relationship with them. The assessment was very much a structured approach. Our team learned a lot Ari Rahmawati Director of PT Sun Health Care (El John Medica) »
Innovation Imaging Technologies Pvt. Ltd "May I take this opportunity to thank you for all your help in the arrangements and organisation for the Training of MD QMS Lead Auditor Certification Course attended. The course was very informative and structured to our requirements. I feel that the relationship that has been b »
SSP Tech Consultancy Malaysia SSP Tech Consultancy Malaysia is so proud on the long lasting relationship with TNV Certification PVT LTD.
We have been working with TNV since 2010 and there were more than 80 clients have been certified in the field of ISO9001 , ISO14001, ISO45001 & ISO 13485.
We thank you For »
Maria P. Belyanchikova Dear Sir,
We kindly express gratitude for your
outstanding service and long-lasting
cooperation.
Since 2014 our companies in Russia, Moscow,
and United Arad Emirates, Dubai, have several
times ordered certification, surveillance and
audit from TNV Certification Pvt LTD and »
Unnikrishnan Narayanan Namboodiri Dear Sir,
It is with great pleasure that we at Inspirit Safety Solutions Pvt Ltd, are conveying our gratitude and appreciation to TNV Certification Pvt Ltd for providing the best of services in the domain of
Management System trainings and certifications by accepting us as an a »
I have developed a great relationship with TNV Certification Pvt LTD.
I have undergone a few trainings with TNV training team & have
found their approach to be a highly professional & committed to
providing quality trainings & certifications. I am glad that I also have
had th »