ISO 22301 Business Continuity Standard moves forward

ISO - International Standards and Business Continuity
 
In November  the member countries of the International Standards Organisation (ISO) have been meeting in Beijing to discuss the proposed ISO for Business Continuity ISO22301. 
 
Earlier in the week doubts had been cast on its future following concerns expressed by a number of countries that the development of an Organizational Resilience Standard had the potential to adversely impact on the consistency and application of both Standards.
 
It is our understanding that through discussions held this week agreement has been reached and that the required majority has been achieved to move forward with ISO22301, but that there is likely to be careful monitoring of the development of the Organizational Resilience Standard (ISO22323) to try to ensure consistency.
 
Consequently, ISO 22301 will now move to Geneva for the FDIS stage where the final 'minor edit' hurdle is cleared. These timelines suggest ISO22301 will finally be published in Q2 2012. 
 
Looking at the issues raised in Beijing is very pertinent to the wider sector though and deserves a little more discussion as the Organizational Resilience work currently underway is very significant to most involved in Risk, Security and Business Continuity and whilst ISO22323 is at a very early stage, the importance and potential of this standard should not be underestimated. This is already evidenced by the 4 countries that expressed reservations over the progression of the Business Continuity ISO. We know that the majority held sway in the end, but that is missing the point.   
 
The maturity gained for the Business Continuity Standard, largely based on BS 25999, has meant international consistency was developed prior to the commencement of the ISO 22301 project with many of the lessons incorporated. This highly valuable experience, maturity and industry 'buy-in' has yet to be really demonstrated for any Organizational Resilience definition, let alone a Standard. This could mean a rocky road for the development of ISO22323 with delays and confusion arising if its scope and focus is not carefully managed.  There are also concerns over the approach being taken in that ISO's Organizational Resilience standard will be from the start a full 'Requirements' and not a more unifying Guidance Document. 
 
Some of the discussions cite the considerable standards work undertaken across the Risk Management, Business Management and other Resilience related fields, such as Security, as really being the backbone of future developments and that it is how these are to be integrated, managed and 'pulled together' that develops the overall Organizational Resilience needed. Simply put, the field and scope is simply too large and in some areas lacking in clarity to create an effective requirements based standard. The result could well be a lot of unnecessary complexity and confusion.
 
In our opinion, there is a need to develop a a more structured framework that provides organisations with effective guidance on what is needed to deliver real Organizational Resilience, but there are some serious issues that need first to be acknowledged and then effectively addressed if this is to be achieved. 
 
Ask any five professionals what resilience actually means? Will you get a clear and consistent answer that agrees, probably not… you may even get a dozen different answers! 
 
We'll be revisiting this topic in more depth shortly and we encourage you to send through your thoughts and feedback to us on the whole topic.
 
11/11/11