What is ISO 22301, and how does it differ from BS 25999?

What is ISO 22301?

ISO 22301 has been developed to help organisations minimize the risk of disruptions. ISO has officially launched ISO 22301, “Societal security – Business continuity management systems – Requirements”, the new international standard for Business Continuity Management System (BCMS). This standard will replace the current British standard BS25999.

ISO 22301 is the world’s first international standard for Business Continuity Management (BCM) which can be used by organisations of all sizes and types. These organisations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM.

ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise. The requirements specified in ISO 22301 are generic and intended to be applicable to all organisations (or parts thereof), regardless of type, size and nature of the organisation. The extent of application of these requirements depends on the organisation’s operating environment and complexity.

Which organisations does ISO 22301 apply to?

ISO 22301 applies to all types and sizes of organisations that wish to:

  • establish, implement, maintain and improve a BCMS
  • assure conformity with the organisation’s stated business continuity policy
  • demonstrate conformity to others
  • seek certification/registration of its BCMS by an accredited third party certification body; or
  • make a self-determination and self-declaration of conformity with this International Standard.

How does ISO 22301 differ from BS25999?

The requirements of ISO 22301 are presented in a different structure to BS 25999-2. With ten clauses to BS 25999-2’s six, ISO 22301 is the first Standard to be published in accordance with ISO’s Annex SL. This sets out a new format for all future and revised management systems standards. There are also a much larger number of requirements to be met in the new Standard; 105 ‘imperatives’ in ISO 22301 as opposed to 56 in BS 25999-2. Among the more important standards are:

Planning:

Clause 4 specifies a new formal requirement to define the Context of the Organisation. The aim is to provide all the information required to establish a BCMS relevant to and supportive of the organisation and its objectives. The requirements cover both external and internal factors. External factors include such influences on the organisation as the political, economic and legal/regulatory environment. Internal factors include everything required to enable it to do what it does and achieve its objectives i.e. products, supply chain, interested parties, information systems, policies and objectives, governance, culture and so on.

Senior management commitment:

Clause 5 on Leadership will also be standard in all future management systems standards. In contrast to BS 25999-2, there are more explicit requirements placed on senior management to be proactively involved in implementing business continuity policy and objectives, and to have demonstrable evidence of this.

Communication:

ISO 22301 places much more emphasis on communication than BS 25999-2. This is in line with the Societal Security objective of the ISO TC223 Standards. Procedures are required for internal and external communications detailing on what the organisation will communicate, when and with whom, both during normal business and during a disruption. Requirements are included for alerting interested parties who may be impacted by a potential or actual disruptive event and enabling two-way communication with interested parties including the local community, media and emergency responders. There are also specific and very practical requirements around checking and testing of proposed communications capabilities and their availability during disruption, for example what happens if mobile communications go down – can we still communicate with our interested parties?

Recovery Plans:

Clause 8 contains the BC-specific requirements of the Standard and many of these are very similar to the BCM Lifecycle components of BS 25999-2. For example, BIA and risk assessments, selection of business continuity strategy, and business continuity and incident management plans. However, a new requirement at 8.4.5 specifies the need for recovery plans to restore and return business activities from the temporary state adopted to meet minimum business continuity objectives to normal after a disruption. This applies to all business activities not just activities prioritised in the BIA.

Setting Objectives and Performance Evaluation:

ISO 22301 puts more emphasis on the setting of measurable objectives and performance evaluation. Clause 9 is a new clause specifying requirements for the monitoring, measurement, analysis and evaluation of the performance and effectiveness of the BCMS. The clause also includes the Internal Audit and Management Review requirements, familiar to BS 25999 users. However, additional procedures are required to determine what needs to be monitored and measured, when and how the results will be evaluated and what action needs to be taken to address any adverse trends. The procedures are expected to cover the setting of suitable metrics, assessing the performance of the processes protecting its prioritized activities and evaluating the suitability and effectiveness of business continuity procedures.

How can Krypsys help your business?

The Krypsys approach to ISO 22301 engagements in the majority of cases is to first carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This will provide a clear picture where you already conform to the standard, where there are some controls in place but there is room for improvement and where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. Following the Gap Analysis and debrief, you may require additional assistance by way of advice and guidance and project management of implementation of suitable controls and documentation required to meet the standard, in preparation for external certification.

For further information about ISO 22301 and how Krypsys can help your business, contact 0845 474 3031