To coincide with BCAW 2013, Business Continuity Awareness Week organised by the Business Continuity Institute (BCI), here are our five Top Tips on transitioning your Business Continuity Management System from BS 25999-2 to ISO 22301.
1. Allocate enough time and resource to complete the transition
Even though billing for ISO 22301 reassuringly says that BS 25999-2 is the lead reference document for ISO 22301, this relates mainly to the BC specific content in Clause 8. Don’t be lulled into a false sense of security! Because of the new ISO Management System structure it isn’t a straightforward read across from BS 25999-2 and the task of aligning with the new structure is significant. However, once done it is worth it and for us, will also facilitate integration of our BCMS with future management standards such as the updated ISO 27001.
2. Use ISO 22301 as the starting point
We recommend starting with the list of ISO 22301 requirements and pulling content across from BS 25999-2 where it meets the requirements of the new Standard rather than trying to bolt the new requirements into your BS 25999-2 documentation. This should result in a streamlined BCMS developed to support the achievement of your strategic objectives but without losing the value of your investment in BS 25999-2.
3. Beware the detail in the requirements
There are 105 specific requirements (identified by the term ‘shall’) in ISO 22301 vs 56 in BS 25999-2. The Standard needs reading really carefully to capture all the requirements. There are some sneaky ‘two in one’s’ which are easy to overlook. We created a gap analysis tool and implementation checklist that captures each individual requirement. This has been invaluable to our transition and in supporting clients implementing ISO 22301.
4. Create a usable document set
Create a document set that will support the practical implementation of your BCMS in support of your business, its culture, language and way of doing things rather than the needs of the auditor. We use a compliance matrix to map where each requirement specified in the Standard is met in the documentation to demonstrate compliance.
5. Going for certification
Liaise with your certification body about how they will conduct the transition. The approaches vary and it’s worth understanding this beforehand so you know what to expect to reduce the stress levels!
Find out more about the Standards and Supporting Documents for Business Continuity, and how Steelhenge can support your Business Continuity Management through training, exercising and how we can help your organisation certify to ISO 22301.
BCAW is the annual Business Continuity Awareness raising event organised by the Business Continuity Institute and runs 18-22 March 2013. Find out what’s on and follow events on Twitter using the hashtag #BCAW2013