ISO Business Continuity Standard 22301 approved
The ISO 22301 Business Continuity Management System (Requirements) Standard has been approved by vote this week by the ISO Technical Committee (TC223).
Through this vote the way is now clear for the full publication of the Standard that we would expect to be available for purchase from the BSI and others in the early summer.
Users of the British Standard BS 25999 will continue to be certified, at least until the expiration date, but is is likely that many will choose to adopt this the new Global Standard.
A lot of focus in the development of ISO 22301 has been to ensure consistency with other management systems, whilst looking to preserve and develop the solid foundation laid by the BSI's BCM/1 Committee with the British Standard BS 25999.
The structure and layout of the new Business Continuity ISO does differ from the now familiar British Standard, but the core elements are still all there. There are some terminology differences, as ISO 22301 must align across a broad framework of management system standards, and whilst it'll take a little getting used to the common sense approach taken it looks like it'll be clearly clearly beneficial in the long run.
A characteristic that features throughout the new standard is a requirement for what has been termed 'more precision'. Generally speaking, more detail on activities and planning are required to demonstrate capability and the management controls and documentation now align with other ISO's in the Societal Security and related areas (such as ISO 9001, ISO 31000, ISO 27001 etc).
ISO 22301 will challenge organisations to look closely at their current (BS 25999, BCM.01 et al) planning and question whether or not these are precise and detailed enough. Our initial feeling is that if the approach taken by an organisation originally was thorough and comprehensive there will only be relatively little work to achieve the ISO Standard.
There will be a window while Auditors and Certification bodies will be getting up to speed and there is likely to be quite a debate around the new standard and the perspectives it introduces. We can also imagine quite a few folks taking the Technical committee to task on a few of the areas where less information is provided or changes made (such as the Plan Do Check Act illustrations amongst others).
These are relatively minor providing the strategic and operation focus is maintained and in time may even offer a little more adaptability, that will have to remain to be seen though.
However, as the previous precedents have been that BSI will withdraw BS 25999-2 shortly, organisations will have to consider ISO 22301 as the only really international standard that they can align or certify to.
The broader implications arising from the arrival of ISO 22301 are interesting and particularly significant to the future of BCM.
Currently, most countries around the world do not have their 'own' national standard and through this Standard they now have the mechanism to easily adopt ISO 22301 and encourage its use more widely within their borders. In the UK to a degree we have been spoiled as we have one of the most mature sectors in the world, but with the extended supply chains and widely spread dependencies a more global view must be taken to protect our operations and interests. The International Standards Organisation has considerable gravitas and can be shown to have influenced greater development of marts linked to its standards.
Whilst one view may be that switching to ISO 22301 is not really necessary if you have BS 25999 in place, it is difficult to argue that the benefits will be retained to the same degree.
We're sure to see some reaction from the industries professional and we welcome your thoughts and opinions, please do send them through to us here!