The first edition of ISO 22301 was launched in May 2012. It was the first truly internationally accepted standard on business continuity, and it consists of requirements to implement a Business Continuity Management System according to ISO Annex SL. As such, it stood in line with its prominent predecessors such as ISO 9001 and ISO/IEC 27001.
When ISO/TC 292 (ISO Technical Committee 292 on Security and Resilience), its workgroup WG 2 – responsible for this standard – first asked within the community about the need to update it, there was astonishingly little response. We, as members, could not believe that nobody had the intention or desire to update this international standard. However, all of a sudden, the interest exploded and the respective Project Team within WG 2 was challenged within an unprecedented volume of change requests concerning ISO 22301:2012.
As of now, several modifications were integrated into the current DIS (Draft International Standard), and the process is not yet finished. During the revision process, a number of developments had to be observed. As ISO 22301:2012 was the first in a series of standards on business continuity developed by this TC, care had to be taken to synchronize modifications with the central glossary of this TC (ISO 22300) and auxiliary standards (technical specifications, TR) developed after 2012 (e.g. standards on organizational resilience, business impact analysis, etc.).
Here is a summary of current modifications and similarities as compared to the original version:
- The PDC model diagram was deleted, as diagrams are hard to standardize and typically lead to endless discussions and interpretations.
- Clauses 4 to 10 cover the components of PDCA, as before.
- There are no normative references in this document.
- The terms and definitions were updated to include the ISO Online Browsing Platform and the IEC Electropedia; both are web-based information platforms.
- In clause 3 “Terms and Definitions” several terms were modified, redefined, removed and added. Major changes include:
The list above might seem tedious perhaps, but it reflects the new way of how the community sees this particular aspect of the standard, and the project team received numerous comments on this clause.
- Clause 4 “Context of the organization” received only minor modifications. The project team tried to create introductory sub-clauses at the beginning of each clause. As such, for example, sub-clause 4.1 is an introduction to clause 4 and sub-clause 4.2.1 (general) is an introduction to sub-clause 4.2.
- Clause 5 on leadership was streamlined.
- Clause 6 on planning was enhanced, focusing on business continuity objectives and planning to achieve them (6.2). A new sub-clause on planning changes to the BCMS (6.3) was introduced.
- Clause 7 on support was streamlined.
- Clause 8 (operation) took a lot of time to modify, as expected, addressing the core of the matter of business continuity. While the structure of the sub-clauses was not modified a lot, new additions to the content were heavily discussed and, hopefully, improved to better suit the requirements of the practitioners who use this international standard. For example, sub-clause 8.2.2 “Business impact analysis” was enhanced and a reference to ISO 22318 (supply-chain continuity) was added. Notes referring to the terms MTPD and RTO (both removed from the clause on terms and definitions) were added. Sub-clause 8.3, formerly called “Business continuity strategy” was renamed “Business continuity strategies and solutions”, highlighting (in 8.3.2) the need for the identification and selection of strategies and solutions. Clause 8.4 (formerly called “Establish and implement business continuity procedures”) has been renamed to “Business continuity plans and procedures”, focusing on “Response structure” (8.4.2), “Warning and communication” (8.4.3), “Business continuity plans” (8.4.4) and “Recovery” (8.4.5). A sub-clause on “Exercise program” (8.5) replaces the sub-clause formerly called “Exercising and testing”.
- Clause 9 on “Performance evaluation” and clause 10 “Improvement” were streamlined, also taking into account the new requirements by ISO on how these clauses should look in order to be aligned with all ISO system management standards.
In today’s business landscape there is a rising need to address the complex range of threats that can damage business operations. As such, the capability of an organization to continue operating during a disruption has never been more important, and it’s no surprise that update of ISO 22301:2012 as the leading international standard for Business Continuity as well is very important to practitioners, professionals and businesses worldwide.