After many years of hard work by ISO’s Technical Committee 223, ISO 22301, Societal Security — Business Continuity Management Systems — Requirements (the first international standard addressing business continuity management) was approved for publication by member countries earlier this week. ISO 22301 is a “requirements” document, meaning it is written in a way to enable audits and certification
Brian Zawada, a member of the Continuity Insights editorial advisory board, Director of Consulting Services at Avalution Consulting and member of the U.S. Technical Advisory Group to ISO Technical Committee 223, discusses the ramifications for the business continuity industry, when the standard will be available and how ISO 22301 affects those already certified to BS25999.
Continuity Insights: What does the approval of ISO 22301 mean for the BC industry in the U.S. and internationally?
Brian Zawada: Overall, this is the first comprehensive business continuity management systems standard developed by a true international body. As an ISO standard, it’s natural that international entities will cite the content in this document, which will enable a common language and expectations among parties around the world. Additionally, because of the respect afforded to ISO standards, it’s also natural that entities — regardless of geography — will use this standard as a summary of best practices and expectations, which will hopefully enable the improvement of business continuity performance.
CI: What are the next steps? When is it available for purchase, etc.?
BZ: Organizations and individuals interested in ISO 22301 should be able to purchase a copy in the next two months. The “FDIS” version of the standard, which is presently available on ISO.org, will undergo one final grammatical review before being formally published as an international standard. The accompanying business continuity management systems “guidance document”, ISO 22313, will likely be published later in the year as it is presently being voted on (and commented on) as a draft international standard. Together, these two documents offer a great summary of best practices in business continuity, with ISO 22301 noting the “what” should be done and ISO 22313 offering ideas on “how” to implement, operate and continuously improve a business continuity management system.
CI: An article on continuity forum implies BS25999 will expire in the not-too-distant future. Is it urgent that those certified to BS25999 start the ISO 22301 certification process to ensure they remain certified? Do those certified to BS25999 already comply with ISO 22301?
BZ: No formal decision has been made regarding the withdrawal of BS 25999-2. Based on past situations where the British Standards Institute (BSI) had a predecessor standard to an ISO standard, it’s likely it will be withdrawn. With that said, there are significant similarities between BS 25999-2 and ISO 22301. It would not be difficult for those that implemented a business continuity management system or program based on BS 25999 to transition to ISO 22301. If BS 25999-2 is withdrawn, those with a BS 25999 certification will find it necessary to transition their certification to ISO 22301 when their certification expires. Any organization that’s concerned about this should contact their certification body for guidance on the process going forward. In my opinion, this transition will not be difficult. I’ve done a cross-walk and although there is content and document organization differences, the changes are relatively minor — less jargon, and expanded content in incident response/management and risk mitigation.
Stay tuned for more coverage of the new ISO 22301 standard.