ISO 22301 is here, so what really changed from BS 25999?

There are several changes but here are the top 10 that we consider will impact present and future business continuity ‘mind share’ that exists within organisations.

Change #1 – inclusion of word “Societal” in the standard. Several organisations especially those that are linked to public services must fulfill social obligations. The inclusion of the word ‘societal’ therefore should be seen and interpreted to include social obligations in the scope of business continuity. Ask yourself – does your continuity plan ensures those ‘social’ obligations? If the answer is no, you need to include this in your iso 22301 certification program.

Change #2 – definition – business continuity plan (term & definition (ISO 22301 T&D) 3.8) – inclusion of ‘respond, recover, resume, and restore”  or lets call them 4Rs. For every service design the 4Rs. The restoration to normal operation is more emphatic in the new standard than henceforth in BS25999.

Change #3 – definition – maximum acceptable outage  (MAO) – (ISO 22301 T&D 3.25) this seems to be a simplification of the phrase maximum tolerable period of disruption (MTPOD) – stating how long can you withstand outage, a key planning metric for continuity planners.It’s a new term that you must be aware. If you already have an MTPOD defined from BS 25999 note that there is nothing much changed.

Change #4 – Inclusion of recovery point objective (RPO) – (ISO 22301 T&D 3.44) a term that was always there in business continuity terminology but was missing in BS 25999. If you are a strict BS 25999 aficionado this would need to be defined and implemented in your BCP. The term has always been part of data backup policies. With this inclusion the BCP manager should question whether the data restoration is aligned with minimum service level at RTO.

Change #5 – (ISO 22301 Clause 4.3.2) scope of the bcms – document and explain exclusions  – this is one major change. An organization now needs to clearly define services or events which within the scope. We have seen scope statements as too broad and in fact at times misleading, this phrase should now should act as a major change.

Change #6 – the definition of ‘risk’ is derived from enterprise risk management (ISO 31000). ISO 31000 defines risk as ‘effect of uncertainty on objectives’.  So the first question to start is where is the ‘enterprise risk register’. This change makes business continuity closer to ERM. if you are the business continuity manager ask yourself which of the enterprise risks are treated by the business continuity and which does not.

Change #7 – Warning and communication (ISO 22301 Clause 8.4.3) – the standard seems to be laying special emphasis on incident and events monitoring from internal and especially external resources.  This is more of an ‘alert infrastructure team’ that should be seen as a part of the communication infrastructure. This is new and must be implemented, not enough to say our BCM manager exists.

Change #8 – business continuity plan (ISO 22301 Clause 8.4.4) – BS 25999 divided the response and recovery processes through incident management plan and business continuity plan. The standard this time seems to have replaced the two sets of plans into a single framework.

Change #9 – Standards requires mandatory two layer of restoration strategy. One that will restore minimum business continuity objectives (MBCO), and another that restores the pending continuity objectives.

Change # 10 – Performance Evaluation (ISO 22301 Clause 9) – there seems to be a special emphasis on performance evaluation, which we perceive will bring more maturity to the domain. Organisations seeking ISO 22301 need to define a measurable framework – which should be the benchmark for internal audit (clause 9.2) and management review (Clause 9.3)

In summary the standard seems to have moved from a general reference to more specific, mature, measurable framework. It also seems that there is a special emphasis and linkage with society, an alert mechanism/infrastructure, and an attempt to integrate with enterprise risk management.

This is aimed to cover broad changes and therefore not exhaustive.

Consider a migration to iso 22301 – 2013 version if you are compliant to BS25999. You have time till 2014 to migrate.

Hope this helps!

Author : Probal C