The International Standard for Business Continuity Management Systems is well and truly here, and we at Steelhenge have already started transitioning our own BCMS, and have been busy assisting clients with their ISO 22301 implementation. Below we take you on a whistle-stop tour of the headline differences between the requirements of BS 25999-2 and ISO 22301.
The requirements of ISO 22301 are presented in a different structure to BS 25999-2. With ten clauses to BS 25999-2’s six, ISO 22301 is the first Standard to be published in accordance with ISO’s Annex SL. This sets out a new format for all future and revised management systems standards. There are also a much larger number of requirements to be met in the new Standard; 105 ‘shalls’ in ISO 22301 versus 56 in BS 25999-2.
Clause 4 specifies a new formal requirement to define the Context of the Organisation. The aim is to provide all the information required to establish a BCMS relevant to and supportive of the organization and its objectives. The requirements cover both external and internal factors. External factors include such influences on the organisation as the political, economic and legal/regulatory environment. Internal factors include everything required to enable it to do what it does and achieve its objectives i.e. products, supply chain, interested parties, information systems, policies and objectives, governance, culture and so on.
Senior management commitment
Clause 5 on Leadership will also be standard in all future management systems standards. Essentially, compared to BS 25999-2, there are more explicit requirements placed on senior management to be proactively involved in implementing business continuity policy and objectives – and to have demonstrable evidence of this.
ISO 22301 places much more emphasis on communication than BS 25999-2. This is in line with the Societal Security objective of the ISO TC223 Standards. Procedures are required for internal and external communications detailing on what the organisation will communicate, when and with whom, both during normal business and during a disruption. Requirements are included for alerting interested parties who may be impacted by a potential or actual disruptive event and enabling two-way communication with interested parties including the local community, media and emergency responders. There are also specific and very practical requirements around checking and testing of proposed communications capabilities and their availability during disruption, for example what happens if mobile comms go down? Can we still communicate with our interested parties?
Clause 8 contains the BC-specific requirements of the Standard and many of these are very similar to the BCM Lifecycle components of BS 25999-2. For example, BIA and risk assessments, selection of business continuity strategy, business continuity and incident management plans. However, a new requirement at 8.4.5 specifies the need for recovery plans to restore and return business activities from the temporary state adopted to meet minimum business continuity objectives to normal after a disruption. This applies to ALL business activities not just activities prioritised in the BIA.
Setting Objectives and Performance Evaluation
ISO 22301 puts more emphasis on the setting of measurable objectives and performance evaluation. Clause 9 is a new clause specifying requirements for the monitoring, measurement, analysis and evaluation of the performance and effectiveness of the BCMS. The clause also includes the Internal Audit and Management Review requirements, familiar to BS 25999 users. However, additional procedures are required to determine what needs to be monitored and measured, when and how the results will be evaluated and action taken to address any adverse trends. The procedures are expected to cover the setting of suitable metrics, assessing the performance of the processes protecting its prioritized activities and evaluating the suitability and effectiveness of business continuity procedures.
For a detailed examination of ISO 22301 and what’s new from BS 25999-2, download a full slide pack.