Business Continuity - BS 25999, ISO 22301 and ISO 22313
In May 2012, the International Standardization Organization (ISO) published ISO 22301 – Business continuity management systems – Requirements. Although this standard was long in the making the response has been very positive - and with the promise of ISO 22313 – Business continuity management – Guidance – before the end of this year, it seems it was worth the wait.
ISO 22301 blends the requirements from several national standards, including those from the USA, Japan, Singapore, Canada and Australia. The similarity with BS 25999-2, however, is most evident. A comparison of the BS and ISO standards reveals little difference in the requirements. And in Clause 8 of the ISO, where the business continuity programme requirements reside, the text is identical in many places.
For organizations already certified or aligned to BS 25999 and considering ISO 22301, the alignment between the two standards will be good news. However, the similarity in principles, requirements, and terms means that BSI will withdraw BS 25999-2 in November 2012. Fortunately, the UK Accreditation Service (UKAS) has already announced a two year transition plan which should enable organizations to obtain accredited certification to ISO 22301 during the course of their normal (or surveillance) visits. UKAS will not issue certification or renewals to BS 25999-2 after May 2014.
For organizations that want guidance, ISO 22313 is due to publish in December 2012. The public consultation ended in May and the feedback was very positive. It will undergo further revision based on the comments and so should be an excellent companion to ISO 22301 but it could also be used as a stand alone document.
Together, these standards will help organizations understand and implement a BC management system as well as help the BCM community continue to grow. Upon publication of ISO 22301, many countries confirmed that they will adopt ISO 22301 and several countries (including the UK) immediately announced they will withdraw their national standards. This will prevent confusion by reducing the number of BCM standards and is a credit to the international experts who developed ISO 22301.
While the requirements are very similar in the BS and ISO, there is a significant difference in the format of the ISO standards. From 2012, ISO requires all new management system standards to use common terminology, headings and text. A management system is a framework for managing and improving the organization’s policies, procedures, and processes. This concept can be difficult for organizations not familiar with a “management systems approach”. And if an organization subscribes to more than one management system standard, it may be frustrating (and costly) if the requirements for the systems are not aligned. For these reasons, ISO developed the common headings, text, and terms.
In general, the effort to align management system standards has been well received from all quarters. It’s a combination of the popular Plan Do Check Act (PDCA) method used in standards such as ISO 14000 on Environment and ISO 27000 on IT Security - and the “Process Approach” used in ISO 9000 on quality. The headings in ISO 22301 include: Terminology; Understanding the organization (and its context); Leadership; Planning; Support; Operation; Performance evaluation; and Improvement. The common text accompanying the headings is clear and succinct. Because all management system standards eventually need to use this format, by being one of the first standards to adopt it, ISO 22301 can easily integrate with other standards in future.
The business continuity management requirements in BS 25999-2 are mirrored in ISO 22301 and include: conducting a business impact analysis; business continuity strategy; protection and mitigation; incident response structure; business continuity plans; recovery; and exercising and testing.
As with all requirement standards, ISO 22301 is concise and includes many “shall” statements. Fortunately, the guidance, ISO 22313, does a good job clarifying the intent of the requirements and providing explanations and examples. There is a direct correlation between the clauses in the requirements and guidance. And while ISO 22313 provides more information, it does not add any additional concepts (or requirements) that are not already in ISO 22301.
But what happens to BS 25999-1, Business continuity management: Code of Practice? If the ISO guidance had the same content as BS 25999-1, it would likely be withdrawn along with BS 25999-2, the requirements. But since publishing the Code of Practice in 2005, the BSI committee responsible for BCM, have been very busy and published several more continuity standards in response to gaps in the flagship standards. Publications on crisis management, human aspects of continuity, exercising and testing, supply chain continuity, and recovery management expand on areas in BS 25999-1 and are current. One standard, BS 25777 – ICT continuity management – has already come and gone as it was used in the development of ISO/IEC 27031 on ICT continuity management - and is now withdrawn. It’s possible that the BSI additional guidance will be used in ISO in future but as ISO have a much longer development time, the BSI Code of practice and related guidance documents will remain available to those who need them for the foreseeable future.
Given the availability and quality of additional guidance, it is possible that BS 25999-1: Code of practice will be revised to include the most current available information.
Regardless, with the release of ISO 22301 and imminent publication of ISO 22313, BCM practitioners and organizations finally have international consensus on what constitutes good BCM practice and will soon have the additional guidance to build a better business continuity programme.
David Adamson is a committee manager at BSI. He is responsible for the areas of security, business continuity management and risk.
reproduced with permission City Security Magazine, July 2012, issue 44