According to various sources, the leading business continuity standard BS 25999-2 will be replaced by an international
standard ISO 22301 by the end of 2011. (Update: new scheduled date is June
or July 2012) This kind of transition is normal – the same thing happens
with most management standards, for instance with ISO 27001 when in 2005 it succeeded BS 7799-2. So
what are the main changes that ISO 22301 will bring when compared to BS 25999-2?
One important note here – since ISO 22301 hasn’t been published yet,
the final version of the standard still doesn’t exist, so some of the things I’ve
written here may not exist in the final version. I am using a draft version
published in February 2011 on the BSi Draft Review website.
ISO 22301 will have this title: ISO 22301, societal security – Business
continuity management systems – Requirements. Although “Societal security” may
sound a little strange in relation to business continuity, here is how ISO
defines it: “… standardization in the area of societal security, aimed at
increasing crisis management and business continuity capabilities, i.e. through
improved technical, human, organizational, and functional interoperability as
well as shared situational awareness, amongst all interested parties.”
At first sight, it is obvious that the structure of ISO 22301 is very
different from BS 25999-2, although all the basic elements of BS 25999-2 still
do exist in ISO 22301.
Let’s take a deeper look.
Similarities…
The biggest similarity is that all core business continuity elements in
BS 25999-2 will be present in ISO 22301 too: business continuity policy,
business impact analysis, risk assessment, business continuity strategy (in ISO
22301 it will be called “business continuity options”), business continuity
plans, exercising and testing etc.
Business impact analysis will probably
be broken down in several clauses, demanding more precision. The requirements
for business continuity plans, including response procedures and recovery
plans, are much more detailed too – e.g. the communication part.
The management part of BS 25999-2 will also be transferred to the new
standard – document control, internal audit, management review, corrective and
preventive actions, human resources management etc. (by the way, these elements
exist in all other management standards – ISO 9001, ISO 14001, ISO 27001…).
However the documentation will be called “documented information”, and
preventive actions will be called “actions to address issues and concerns”.
… and differences
Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301
compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as
ISO 27001. However, in my view that won’t affect the clarity of the process
through which the standard should be implemented since the main sections of the
standard are organized in a rather logical way.
ISO 22301 will obviously put much greater emphasis on setting the
objectives, monitoring performance and metrics – therefore bringing business
continuity much closer to top management way of thinking.
Following that line, ISO 22301 puts clearer expectations on management
and summarizes them in a single section.
ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will
require much more careful planning for and preparing the resources needed for
ensuring business continuity – those requirements are now extended and more
clearly structured.
Finally, what will be different about ISO 22301, being an international
standard, is that certification bodies will push certification against this
standard much harder, so it will gain its popularity much faster.
As a conclusion, all the basic elements of BS 25999-2 will probably be
present in ISO 22301 too, only ISO 22301 will be more precise and more demanding.
Organizations that have already implemented BS 25999-2, and want to “upgrade”
to ISO 22301, will have to pay more attention to detail and will have to invest
more time into preparing and maintaining their system. On the other hand, ISO
22301 will certainly help them raise their level of resilience and their level
of credibility – the same thing that ISO 27001 did 6 years ago when it replaced
BS 7799-2.
No comments:
Post a Comment