At the start of January this year, a draft updated version of the international business continuity management standard, namely ISO/DIS 22301 was issued. Although international standards are updated on a regular basis, you could be forgiven for wondering why ISO 22301 and what changes are we likely to see? ISO 22301 was the first standard to be developed using Annex SL and high-level structure, so there is no need to make any substantive changes to the structure of the standard, i.e. it already aligns neatly with other popular standards such as ISO 9001 and ISO 27001.
One reason why we are seeing an updated version is that business continuity now sits under a different technical committee, i.e. Security and Resilience rather than Societal Security. With the new committee, there was a natural concern to ensure that the standard is still relevant to today’s business environment, hence why we have this ISO/DIS 22301. DIS, incidentally, stands for a draft international standard and enables interested parties to make comments and submit negative or positive votes. If technical changes are required, a FDIS (Final Draft International Standard) will be issued which goes through a similar process including a vote by ISO members, before it is finally published.
So, back to ISO/DIS 22301. What changes are we likely to see when ISO 22301:2019 is published later this year? Based on the DIS, nothing radical it would appear. Certainly, if you are already certified or progressing along the implementation path, there are no substantive changes and there is nothing to worry about. In fact, if anything it will be less prescriptive and more pragmatic than the 2012 version. For example, whilst top management still needs to demonstrate leadership and commitment to the management system, a number of specific requirements such as ´actively engaging in exercising and testing´ have been removed. A further example is subclause 4.1. In the 2012 version, the standard details what an organization needs to identify, document and establish in order to understand the organization and its context. In the ISO/DIS 22301:2019 version, however, there is simply a requirement to ‘determine external and internal issues’.
The new Security and Resilience Committee has also taken the opportunity to remove duplication simplify the terminology and make the standard more accessible. This is certainly the case with Clause 8, where content has been reordered, duplication removed and terminology has been simplified and made more consistent. Subclause 8.3 has been renamed ´Business continuity strategies and solutions’ and reflects the increased pragmatism of the standard, with a greater focus on finding solutions for specific risks and impacts.
References to risk appetite have been removed in the DIS. Again it would appear to be a case of pragmatism rules. Instead of referring to the rather nebulous and subjective ‘risk appetite’ term, the emphasis is now on understanding the point at which the impact of not resuming the activity would be unacceptable.
In the process of removing duplication and simplifying definitions, the standard has been stripped down to the essential requirements and the guidance component is being moved to IS0 22313.
In a nutshell, whilst there are no fundamental changes, the 2019 version of ISO 22301 will be shorter, less directive and more practical than its predecessor, and will provide increased clarity and consistency.