In October 2019, ISO published an update to ISO 22301 the international standard for business continuity management.
Here’s the main changes and how you can transition to the new edition if you already have ISO 22301 Certification.
Main Changes in ISO 22301:2019
Clause 8 – Operation
The main area where changes have been made is within Clause 8, the operation of the system. However the changes are mainly to remove duplication and to clarify existing principles, rather than adding new content.
BIA ‘Impact Types’?
Reframing ‘impacts’ as ‘impact types’ perhaps adds more clarity to the BIA process, by directing organisations to consider a broader range of impacts to:
- Human,
- Financial,
- Legal,
- Reputational,
- Customer SLA,
- Business Objects.
Strategies and ‘Solutions’
The term ‘solutions’ has been added to this area of the standard, which suggests a broader scope for determining how you will manage disruptions to your organisation.
‘Consider Costs and Benefits’
For the first time, consideration of ‘costs’ has been specifically addressed when considering appropriate strategies (& solutions).
This perhaps recognises commercial needs to assess cost vs benefit, and allow organisations to accept the risk or pursuing a cheaper strategy.
Distributing BCM Across the Organisation
The Incident Response Structure now references ‘one or more teams’ reinforcing the idea that business continuity procedures do not need to be centralised, but can be distributed at different levels of the organisation and at different locations.
New clause 8.6!
While exercising and testing still exists within clause 8.5, it appears to be much more focused on physical testing of the ‘strategies and solutions’.
While clause 8.6 has been added to ‘evaluate’ documentation and capabilities, expressly calling out:
- BIA, Risk Assessment, Strategies, Solutions, Plans and Procedures,
- Capabilities of partners and suppliers,
- Legal requirements and business objectives.
Planning Changes to the BCMS
A new clause in 6.3 reflects that of ISO 9001, in requiring changes to be carried out in a planned manner.
Transitioning to ISO 22301:2019
The usual transition period for updated ISO Standards is 3-years, which makes the deadline for transitioning your ISO 22301 Certification: 30th October 2022.
As with all transitions to new versions of ISO standards, the Certification Bodies will produce a pathway in line with UKAS requirements.
However, there’s no need to delay implementing the new requirements of ISO 22301:2019. A gap analysis can be a good place to start, as this will advise on the areas of your BCMS that you can improve, in order to meet the new requirements.
Implementing ISO 22301:2019 for the First Time
If you are new to ISO 22301, this is the perfect time to start implementing the international standard for business continuity.
While the transition deadline is October 2022, UKAS will release a certification scheme for the new standard long before this.
So accounting for adequate time to understand and implement the requirements in to your organisation and the three-months of records required to show the BCMS has been in operation; organisations can start the process now to be one of the first to certify to ISO 22301:2019.
Contact Assent Risk Management for more information on our ISO 22301 Gap Analysis, Implementation or internal auditing services.