ISO Business Continuity Standard 22301 to replace BS 25999-2
The BSI has confirmed that the new International Standard for Business Continuity - ISO 22301 Societal Security Business Continuity Management Systems Requirements - will be officially published in mid May.
We expect that copies will be available for purchase from around the 15th May from this official link.
With the publication of ISO 22301 it is expected that many countries around the world will formally adopt the International Standards Organization Standard for Business Continuity, enabling much greater international consistency to be realised between national requirements and better meeting the needs of global organizations.
In addition, as part of the ISO framework of standards, the new format helps create opportunities to manage what have often been independent systems in a more integrated way through common terms and processes. This should assist in better embedding of the various management systems available from ISO within organisations.
ISO 22301 has been developed by contributions from a broad range of Subject Matter Experts (including the Continuity Forum) working through national standards bodies from around the world working on developing an updated framework of good practice and building on the formal Standards from the BSI in the UK, ANSI in the US, Standards Singapore, Standards Australia and others.
The foundation of much of the work reaches back to the need to develop a consistent understanding of Business Continuity is and how it can be developed and the contribution on this journey of NFPA 1600 and PAS 56 cannot be underestimated. It was the development of BS 25999, that delivered both Guidance and Requirement aspects, that has laid the foundation of much of the development of wider adoption of Business Continuity. In the US, the work was shared by ASIS and the BSI to bring together American and British experts building on the experience of creating BS 25999 that lead to BCM.01.
Tim McGarr of the BSI said; "The new 'BS ISO 22301 Business Continuity Management Systems. Requirements' Standard is the result of a lot of hard work by the members of the UK BSI committee (BCM/1) and their equivalents around the world. However, to ensure the broadest support for the ISO 22301 Requirements standard, the BSI and the BCM/1 committee members have decided that BS 25999-2 will be withdrawn. We expect other standards bodies around the world will follow the BSI's lead, and that this step will help simplify the choices for organisations and position ISO 22301 as the benchmark to demonstrate good practice Business Continuity internationally."
Already many organisations are wondering how this may affect their current Business Continuity Management programmes, especially if they either have, or are working towards what has proven to be the worlds most popular Standard BS 25999-2.
Well, BS 25999-2 (note: part 2 - the specification bit used for audit and compliance) is going to be officially withdrawn by the BSI on the 1st November 2012. There is no reason to panic though! The withdrawal of the BS 25999-2 is part of the management process required for the UK to accept ISO 22301 as the new national standard for the UK, and as such there is a transition period to help all the organisations affected manage the change.
The transition period effectively lasts two years, with no BS 25999-2 certificates being issued after May 2014, though by then folks really should be certifying to ISO 22301! There are good reasons to have this transition, as it'll enable thorough preparations by the organizations that support the BCM and Audit aspects to be made helping endusers of all types complete an effective transition. It also recognises that the detailed ISO 22313 Guidance Documents will not be available until early next year. The BCM/1 Committee is currently working on this and even once the review of the recent Consultation (that closed on the 11th April) is complete, there are still two further ISO stages to complete before publication of 'ISO 22313 - Guidance' is possible. Part 1- the Guidance for BS 25999 - will continue to be available providing help and advice on most of the topics covered in the new ISO.
McGarr added "Within the next 12 months ‘ISO 22313 Business continuity management systems. Guidance’ will publish. This has been developed in parallel and closely connects with ISO 22301. The review of comments is underway for ISO 22313, following the consultation on the Draft (DIS), and the BCM/1 team is busy reviewing the feedback that runs to over 100 pages. This level of interest clearly shows that ISO 22313 is another vital work stream for both the BSI and BCM/1 that will likely prove to be as important to the sector in helping embed Business Continuity good practice into organisations."
Significantly, the transition period also helps the United Kingdom Accreditation Service (UKAS) to work with certification bodies in a structured way and they will commence their assessments of the processes in place in Q4/2012 following Gap analysis of the Final form of ISO 22301.
Chairman of the Continuity Forum, Russell Price said, "Once the ISO was published BS 25999-2 really had to be withdrawn, it really would have been completely untenable to have the two standards sitting on the shelf side by side, and it would have made the situation very difficult indeed for professionals and businesses. It should be stressed that there has been a huge contribution from the BSI BCM/1 committee into the development of ISO 22301, and it contains a tremendous amount of industry experience gained from developing and assessing good practice Business Continuity in practice."
He added, "Once the inevitable decision was made to withdraw BS 25999-2, we had to make sure that organisations had time to assess their specific circumstances and adapt to the new national standard. With the transition period agreed with UKAS, there is that time to enable a properly managed transfer to ISO 22301, perhaps including further reviews and updates to the planning and its scope."
The Continuity Forum will be running Webinars and a series of Workshops on ISO 22301 and what it means to you. If you would like to know more or register your interest then please click here
If you would like to comment or if you require any more information please do get in touch with us directly here!