After a period of review, at the end of October the new edition of ISO 22301:2019 has been published on the ISO website, which sets out the requirements for Business Continuity Management Systems, replacing the previous ISO 22301:2012 version.
Why implement a Business Continuity Management System according to ISO 22301?
The ISO22301 standard is useful for organizations to assess their competence to continue to meet their business capabilities and obligations, even in the face of the occurrence of a disruptive event affecting them.
To do this, the standard indicates the requirements for continuously planning, implementing, operating, maintaining and improving a Business Continuity Management System (SGCN). This system provides the preparation to deal with a wide spectrum of incidents, helps reduce the likelihood of occurrence of incidents, and allows to respond and recover if they occur.
Main changes ISO 22301:2012 vs ISO 22301:2019
It is noteworthy that if your organization/company obtained ISO 22301:2012 certification you should have no problem transitioning to this new version. There have been no major structural changes in the standard.
As ISO version 22301:2012 already had a high-level structure, it has not been necessary to rewrite the entire standard, especially the changes have focused on drafting and clarity. For this reason, the text has become more consistent and logical.
The main changes have been the following:
- Updating terms and definitions, including reference to ISO 22300 Security and Resilience – Vocabulary.
- More flexibility and pragmatism, redundant sections have been removed. An example of this is the reduction or concreteness of requirements in the sections regarding the Context of the organization, Leadership, Planning, Performance Assessment and Improvement.
- The specific requirements, core of the Business Continuity, are set out in clause 8. Although the structure of its sub-clauses has not been barely modified, its content has been improved, especially in the following respects:
- Business Impact Analysis (BIA), in defining impact types and evaluating them over time.
- Pragmatism with the duty to find strategies and solutions for each of the possible specific impacts or risks.
- What is important is not the risk that is willing to take, but the level of impact that risks may cause on activities.
- Need to take into account in business continuity plans the impact on the environment when managing the immediate consequences of an outage.
- Importance of the teams responsible for responding to an incident: the actions they must take, their roles and responsibilities, and the relationships between them.
- Business continuity capability assessments of relevant partners and suppliers.
- Maintenance of an exercise and testing program.
- Adaptation of the Management System to the standards of other ISO standards, such as the 27001 or the 9001.
Timeline and Transition:
Since the publication of the new version there is a transition period of three years. All certificates in version 2012 will lose their validity in the fall of 2022.
From AUDISEC,with the support of the GlobalSUITE®software, we offer the necessary help and advice for the complete adaptation of your organization to the new ISO 22301:2019 standard and thus obtain the corresponding certification.
The software, fully developed by our team, allows the implementation, management and maintenance of all the requirements required by the standard in all types of organizations and sectors. Turn ISO standards management into a simple process with GlobalSUITE® management software.