By Isobel Nicholas
As we set off into the New Year with publication of both ISO 22301, the requirements for Societal Security – Business Continuity Management Systems (May 2012) and ISO 22313, its supporting Guidance (December 2012), what is the feedback on the new Standards to date?
It is still early days and accredited certifications are only just coming on-line, but our experience from both supporting clients in the process of implementing ISO 22301 and transitioning our own certified BCMS from BS 25999-2 has been largely positive.
On the up side:
- Enhanced senior management buy-in – In our experience with client projects, the detailed requirements linking the BCMS to the attainment of business objectives and the requirement of senior management to be involved in this process has made achieving senior management buy-in a natural rather than forced progression. They get it.
- Greater engagement of all staff – Such early support from senior management has definitely had a positive knock on effect to the attitude and engagement of staff across the rest of the organisation which can only bode well for the overall long-term success of the BCMS.
- Practical plans – There is a stronger ‘whole disruption lifecycle’ element to the Standard, with business continuity procedures required to cover warning and communication of an incident through response to recovery post incident.
- Exercises – The requirements to demonstrate that what is planned will work in practice have also been extended and more closely specified.
On the down side:
- More requirements – Implementation is heavy compared to BS 25999-2 and shouldn’t be underestimated. There are a significant number of new requirements with 105 ‘shalls’ in ISO 22301 versus 56 in BS 25999. This means that:
- Adequate resourcing needs to be made available to meet the detailed requirements both during planning and subsequent management.
- Detailed analysis of the Standard is required to capture all the requirements
- New ISO management systems structure –The new standardised ISO structure will support the integration of management systems in the longer term – a positive step – but creating a suitable document set does require careful thought at the outset. This means that:
- It isn’t a straightforward read across from BS 25999 as a number of requirements have been dispersed to meet the new structure
- While the business continuity elements are fairly straightforward, there is a lot of work to meet the management system elements of ISO 22301
Watch out for other posts in this ISO 22301 practical implementation series. Next up: ISO 22301 vs BS25999: The Key Differences