ISO 22301:2019 released: 5 key changes from 2012 version
Following the publication of various draft versions of the Standard, BS EN ISO 22301:2019 was released last week. In this week’s Blog, URM provides you with its analysis of 5 key differences from the 2012 version of this International Standard for Business Continuity Management Systems.
• The 2019 edition is significantly less detailed and prescriptive than its predecessor. However,
in the process of removing the detail and providing less direction, the Standard places greater emphasis on the skills and competence of those individuals who are responsible for designing and implementing the management system processes. There are no substantial changes in the processes that make up a business continuity management system (BCMS) and the same end results are required.
• Clause 6.1.2 now makes it clear that the risks (and opportunities) that need to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption, which are addressed by Clause 8.2.3. The same relationship is intended in other standards such as ISO 27001 and if you are implementing a BCMS, you will need to work out how to meet the requirements of this clause.
• The requirements for conducting the pivotal business impact analysis (BIA) are now clearer. The relationship between unacceptable impact, maximum tolerable period of disruption and prioritized timeframes for activity resumption is defined as well as using the BIA to identify ‘prioritized activities’. The 2012 edition required prioritized timeframes simply to consider impact. It should be noted that there is no specific requirement with the 2019 version to document the BIA process.
• A key assurance process, evaluation of procedures, specifically requires the suitability, adequacy and effectiveness of BIAs and risk assessments to be evaluated. This was previously only an implicit requirement in the name of effectiveness, but points to the key role played by BIAs and risk assessments.
• The concept of minimum activity levels has shifted, from the need to identify minimum levels of products and services and minimum acceptable levels of activity, the linking of which is implicit, to the minimum acceptable capacity of resumed activities.