Choose a Blog ×

PAST BLOGS

Sneak Peek at ISO 22301 2019

Gain an understanding of the proposed changes to ISO 22301 and why they are being made

May 29, 2019

Author: Lynnda Nelson
President at ICOR

 

ISO management system standards are valid for seven (7) years and must be updated and republished before they expire.  ISO 22301 was first published in June 2012 and so in June 2017 a committee of experts was formed and the review process began.  The updated standard is scheduled to be published shortly after September 2019.  This blog provides a sneak peek at the expected changes.

Before we take a deeper dive into the expected upcoming changes to the standard, let’s look first at why we have standards and why you should use the requirements of ISO 22301 as guideposts for improving the business continuity program at your organization.

 

Why international standards?

According to the International Standards Organization (ISO), international standards make things work.  They give world-class specifications for products, services and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international trade.

ISO has published 22677  International Standards and related documents, covering almost every industry, from technology, to food safety, to agriculture and healthcare. ISO International Standards impact everyone, everywhere.

The ISO story began in 1946 when delegates from 25 countries met at the Institute of Civil Engineers in London and decided to create a new international organization ‘to facilitate the international coordination and unification of industrial standards’. On 23 February 1947 the new organization, ISO, officially began operations.

Today they have members from 164 countries and 783 technical committees and subcommittees to take care of standards development.

 

ISO 22301 Certified Companies

ISO publishes a study every few years providing details on the implementation of management system standards by country and industry sector.  Between 2014 and 2017, 13,024 organizations have been certified to ISO 22301 with the largest numbers in Central/South Asia and Europe. 

The top five industrial sectors as of 2016 include:

  1. Information technology
  2. Other services
  3. Transport, storage, and communication
  4. Wholesale and retail trade
  5. Manufacturing not elsewhere classified

The next update will be published in August 2019.

How to get involved

ISO is a global network of national standards bodies. Their members are the foremost standards organizations in their countries and there is only one member per country. Each member represents ISO in its country.  Individuals or companies cannot become ISO members, but there are ways that you can take part in standardization work.

One of the strengths of ISO standards is that they are created by the people that need them. Standards are developed by groups of experts called technical committees. These experts are put forward by ISO’s national members. If you are interested in getting involved, contact your national standards body. Your national standards body is the ISO member, and represents ISO in your country. Contact details can be found in the list of national members.   Learn more

The International Consortium for Organizational Resilience (ICOR – Build-Resilience.org) is the new administrator of Work Groups 2 (Continuity and Resilience) and 5 (Community Resilience) representing the United States and under ANSI who is the official Member Body.  The Business Continuity Institute (BCI – theBCI.org) US Chapter, is sharing in the logistics of managing the work of WG 2.

If you are interested in learning how you can be involved email ISO22301@theICOR.org or call 866.765.8321.

 

The process of updating ISO 22301

The process for updating standards is a very “standardized” process!  The timeline below demonstrates a typical update process.

  1. December 2019:  Deadline to publish new ISO 22301.  Standards are up for review every 7 years.  If not renewed they are retired.
  2. June 2017:  Current standard (2012) went out for review globally.   That review is Committee Draft (CD)1.
  3. March 2018: Comments were compiled by the Member Body (Country) and reviewed in Australia. The result of that review is CD2.
  4. June 2018: CD2 went out for review. 
  5. Oct. 2018: Comments on CD2 were reviewed in Norway.  Draft International Standard (DIS) was published January 2019 and went out for review again.
  6. May 2019: Met in Delft to review comments and publish ISO 22301 as a Final Draft International Standard (FDIS).   
  7. September / October 2019: The final version to be published.

The guidance document – ISO 22313 – is also being updated.  It is tentatively scheduled to be published before the end of the year.

There is a template for writing management system standards called Annex L.  It identifies “blue text” that must be included in all management system standards and cannot be altered. It is called the High Level Structure (HLS).  This ensures that all management system standards are in alignment and can be used in combination or in “integrated audits.”

 

Changes-at-a-Glance

When the experts met for the first time in March 2018 in Sydney, it was agreed that there would be several changes agreed upon at the start that would guide in the decision-making.

  1. Removal / consolidation of duplicate requirements
  2. Editorial formatting to ensure all requirements have a letter/number and all complex requirements changed into bullets
  3. Improve the “readability” of the standard and remove any “jargon”.
  4. Clarification that clauses 4-7 and 9-10 refer to the BCMS and clause 8 to Business Continuity
  5. Alignment to the High Level Structure (HLS) or “blue text.”

 

Changes to Terms

There is a lot of ongoing discussion on the status of the terms included or not included in ISO 22301.  ISO 22300 is a “live” online platform that provides access to all terms and definitions used in all of the standards that are part of Technical Committee 292.  It can be accessed here.

 

All terms related to “management systems” will be included in ISO 22301.  In addition, terms that are only used in ISO 22301 will probably be included.  Those terms that are used by several standards will be available via the online platform.  The exact status of the terms included will be decided by ISO prior to publication.

One primary difference in the text of ISO 22301 is the removal of “risk appetite” and the use of its definition, “the amount and type of risk that the organization/it may or may not take.

 

Clause 4 Context of the Organization

4.1 and 4.2 content has been reduced to be aligned with the HLS with all extra content removed as identified as being duplicative or considered unnecessary.

4.3.2 Scope of the BCMS has been simplified to take into account its location, size, nature, and complexity with the focus on identification of the products and services included in the BCMS.

 

Clause 5 Leadership

All of 5.1 is “blue text” and so is the content of this clause.  All remaining content from the 2012 version has been removed it was duplicative or considered unnecessary.

5.2 is now Policy and is essentially the same content with some formatting changes.

 

Clause 6 Planning

Clause 6 is meant to address the project and program management aspects of the BCMS.  There were no changes to 6.1 Actions to address risks and opportunities except for the addition of the Note to clarify that this clause relates to the effectiveness of the BCMS and the risks of disruption of the business are addressed in clause 8.2.

There are only small changes to 6.2 Business continuity objectives and planning to achieve themNote the emphasis on planning versus plans to avoid confusion that 6.2 is about the business continuity plan versus the planning of the BCMS. 

The requirement to “take into account the minimum level of products and services that is acceptable to the organization to achieve its objectives” has been removed as it is an outcome of the business impact analysis and not part of business continuity program planning.

What is new is the addition of clause 6.3 Planning of changes to the BCMS.  This addition is meant to emphasize the importance of managing change and the planning of those changes to the BCMS.  While there are requirements in clauses 8.1 and 10, it was felt that emphasis was necessary for the planning phase.

 

Clause 7 Support

Clauses 7.1 Resources, 7.2 Competence, and 7.3 Awareness have no changes except editorial.

Clause 7.4 Communication requirements has been greatly reduced as almost all of the content was also included in Clause 8.4.3 Warning and Communication and in 8.4.4 Business Continuity Plans.  For most management system standards 7.4 includes all communication requirements.  But a BCMS has additional requirements for communication that are included in 8.4.3.

The intention of clause 7.4 is to document the requirements to communicate about the BCMS internally and externally.

The only changes to 7.5 Documented Information is to eliminate duplicative content.  ISO update the “blue text.”

 

Clause 8 Operation

Clause 8 is the “meat and potatoes” or the primary content of ISO 22301 outside of the management system requirements.  As such, this is where you will find most of the changes to the standard.

There are no changes to 8.1 Operational planning and control.

8.2 Business impact analysis and risk assessment

There are some significant changes to this clause.  As 8.2.1 General included requirements that were specific to either the business impact analysis OR the risk assessment, they were moved to the appropriate subclause. 

A new requirement is the need to review the business impact analysis and the risk assessment at planned intervals and when significant changes occur.  This is an important change as these are critical analysis points and form the cornerstone for the rest of the BCMS and as such should be relevant.

8.2.2 Business impact analysis is more prescriptive than the 2012 version.  It now includes the requirement to define and use impact types and criteria as tools to assess the impacts over time resulting from a disruption.

8.2.3 Risk assessment is less prescriptive as risk management is owned outside of ISO 22301 and ISO 31000 is a valuable reference to how to conduct the risk assessment process.  The small change is that the identification of risk treatments has been moved to clause 8.3 Strategies and solutions.

8.3 Business continuity strategies and solutions

You may have already noted the change in focus from the 2012 version to the 2019 version to “strategies and solutions”. 

The primary new concept is that there should be an overall “Business Continuity Strategy” of the organization (such as continue operations to meet requirements), supported by different strategies (such as alternate work locations or resource relocation), and then specific solutions to meet each strategy (such as working remotely or transferring work to another location).

8.3 is now divided into the identification, selection, and implementation of strategies and solutions in addition to determining resource requirements.  All strategies and solutions need to be determined as an outcome of the business impact analysis and risk assessment.

Clause 8.4 Business continuity plans and procedures

The focus of this clause is on the documentation of the plans and procedures as a direct outcome of the identification and selection of the strategies and solutions.  8.4.2 is now Response structure removing “incident.”

Another change in focus is the intentional use of the term “teams” as the structure for responding to disruptions.  The previous content under 8.4.2 has been modified to focus on the actions of the teams as part of the response.  Life safety has also been highlighted as the first priority in response.

8.4.3 Warning and communication is essentially the same content with the assurance that it includes all aspects of communicating during and after an incident. 

8.4.4 Business continuity plans continues with the focus on teams and that the plans are to be used by them during and after an incident.  Communication content has been moved to 8.4.3 with the remaining content very similar to the 2012 version.  One addition is the requirement to “give due regard to the disruption’s impact on the environment.”  This means that if the response to the incident could impact the environment, the organization needs to consider this.

8.5 Exercise program

The change in clause 8.5 is primarily on the focus on having an exercise program that is intentional and well-planned.  In addition, there is a new requirement that the exercise program should ensure that they result in “developing teamwork, competence, confidence, and knowledge for those who have roles to perform in relation to disruptions.” 

In addition, the organization must act on the results of its exercising and testing to implement changes and improvements.

8.6 Evaluation of business continuity documentation and capabilities

A significant change to the document is moving the evaluation requirements from 9.1.2 to a new clause 8.6.  Similar to the change to add 6.3 to planning, this change is meant to strengthen the evaluation process and ensure it is done at “planned intervals” and not hidden in the BCMS reviews.

Evaluations of the business continuity capabilities of partners and suppliers was moved from 8.3 to 8.6.

 

Clauses 9 and 10:  Performance evaluation and Improvement

There are no significant changes to either of these clauses except for a reduction of content that was in addition to the HLS / blue text.

 

Want to Learn More or Get Certified to ISO 22301?

The ICOR courses in the BCM Discipline teach how to align, implement, and audit to BCM programs using ISO 22301. The variety of courses offer education for beginners, for those with experience, and for those looking to grow professionally by learning how to audit or prepare to be audited.

 

BCM 2000/3000 Implementing ISO 22301 is a 3-day certification course also offered via elearning and self-study. 

Audience: Those new to BCM, those responsible for developing and managing a BCM program, or for consultants.

Description: Whether you choose the eLearning or the instructor-led course, attendees will learn how to develop and manage a BCMS that is aligned to ISO 22301.  Included in the course materials are case studies, multi-media, small group activities, games, and takeaways such as sample policies, a BIA/Risk Assessment tool, and templates.

 

 

BCM 5000 ISO 22301 Lead Auditor is a 5-day ANSI accredited instructor led course.  Audience: Existing Lead Auditors, BC Professionals, Internal Auditors

Description: Provides the skills and knowledge to conduct and lead effective BCMS audits in accordance with the requirements of ISO 22301, 19011, and 17022.

Constructed around a case study with practical auditing activities, auditor questionnaire and tool kit, templates for planning an audit and writing the audit report, and copies of ISO 22301 and 22313.

 

BCM 4000 ISO 22301 Assessor is a 1.5-day class offered via instructor led or elearning.   

Audience: BC Professionals & Consultants, Internal Auditors

Description: Using a case study approach and the ISO 22301 Maturity Model Assessment tool, participants learn how to conduct a self-assessment of an organization’s Business Continuity Management System. The self-assessment tool is included in the course (value $995.00).

The self-assessment tool can be used to measure program alignment to ISO 22301 to improve BCMS capability, to declare conformity to ISO 22301, and to determine readiness for a 3rd party certification audit.

 

Learn more about ICOR courses in business continuity management.