A revised version of the ISO 22301 standard was released in October 2019. The revised version included some changes and clarifications, but introduced no new requirements.
Those who have been following the standard for a while may remember that it underwent a major update to its “management system” components (clauses 4-10) in 2012. That’s also when the standard’s annexes were introduced which included all the details. Over time, other standards followed suit – like ISO 31000, ISO 27001 and ISO 9000. This consistency makes it much easier for organisations to integrate their various “management systems”.
What are the main changes?
* Discipline-specific business continuity requirements are now almost entirely within section 8;
* The PDCA cycle still exists but unfortunately no longer aligns each clause (4-10) to one of the 4 PDCA stages;
* Clause 4 – Understanding the Organisation and its Context: There is no need to document your ‘context’; just determine what the external and internal issues are;
* Clause 7.4 – Communication: This now only refers to the need to communicate elements of the BCMS. Business continuity specific communication requirements are now all defined in clause 18.104.22.168;
* Clause 8.2.2 – Business Impact Analysis: Focus is now on defining ‘impact types and criteria’ relevant to your context and to use these for assessing impact over time. Examples of ‘impact types’ could include; Financial, Reputational, Operational and Legal and Regulatory;
* Clause 8.3 – Business Continuity Strategy: There is now a requirement to ‘implement and maintain selected business continuity solutions so they can be activated when needed’.
* Clause 8.4 – Business Continuity Plans, Including Response Structure: The standard now specifies some specific requirements that need to be addressed in a BCP;
* Clause 8.5 – Exercise Programme: An organisation must now develop teamwork, competence, confidence and knowledge for those who have to perform in relation to disruptions; and
* Clause 9 – Performance Evaluation: Monitoring, measurement, analysis and evaluation now includes requirements to identify not only when monitoring and measuring shall be performed but also when the results shall be analysed and evaluated but also by whom.
How long do you have to transition?
If your organisation is currently certified to ISO 22301:2012 you are likely to have up to three years to transition to ISO 22301:2019. After 30th October 2022 certification to ISO 22301:2012 will no longer be valid.