ISO 22301:2019 vs ISO 22301:2012 - Blog - Evalian

ISO 22301:2019 vs ISO 22301:2012

February 17th, 2020 Posted in ISO 22301

ISO standards are revised every five years to ensure that they continue to reflect the collective view of global practice. Consequently, November 2019 saw a revised publication of ISO 22301, the international standard for business continuity first published in 2012.

While the standard has been renamed from “Societal Security – Business continuity management systems – Requirements” to the slightly less cryptic “Security and resilience – Business continuity management systems – Requirements”, this revision of the standard is more evolution than revolution, and the changes that it introduces are improvements that all contribute to the standard becoming less prescriptive, more pragmatic, and therefore easier to implement, transition to and work with.

Ultimately, there are no significant changes to the development of a BCMS, and the targeted results remain the same.

Structure of the Standard

ISO 22301:2012 was the first ISO standard to adopt Annex L (previously Annex SL) which provides a framework now common to all new management system standards published by ISO, the International Organisation for Standardisation. The structure of the revised Standard remains largely unchanged, however, it has been streamlined for better reading and easier understanding. While removing the detail and providing less direction, the Standard now places greater emphasis on skills and competence.

What has changed in the ISO 22301:2019 Standard?

The changes introduced in this new 2019 version can be summarised as follows:

  • Some terminology has been simplified. For instance, references to “risk appetite” have disappeared, and some jargon has been eliminated in favour of “plain English”;
  • Some requirements are less prescriptive, allowing organisations to adopt an approach that better fits their context:
    • Clause 4.1 – Understanding the organisation and its context:
      the clause has been simplified and no longer includes a requirement to formally document the process;
    • Clause 5.2 – Top Management is still expected to commit to the BCM policy, but the new revision is more focused on the effective management of the BCMS, rather than top management’s direct involvement in activities such as exercises and tests;
    • Clause 7.4 – Communication. The clause is far less detailed and aligns to the communications requirements of other standards such as ISO 27001;
  • Clause 6.1.2 clarifies that the risks and opportunities that must be addressed relate to the effectiveness of the BCMS, and not the risks of disruption. These are catered for in clause 8.2.3.
  • More significantly, clause 8.3 sees its name changed from “Business Continuity Strategy” to “Business Continuity Strategies and Solutions”. It now mandates organisations to not only develop high level strategies to ensure business continuity, but to also define solutions on how to manage specific risks and impacts relevant to continuity. From a management perspective, the shift of focus from strategies to solutions will help with the identification of resources and budgetary planning.

What is new in the ISO 22301:2019 Standard?

ISO 22301:2019 introduces some new requirements:

  • Although previously implied, there is now a mandatory requirement to implement changes to the BCMS in a planned manner (clause 6.3). Changes must consider:
    • Purpose and consequences;
    • Impact onto the integrity of the BCMS;
    • Resource availability;
    • Impact to the way responsibilities and authorities are defined;
  • Clause 8.2.2 – Business Impact Analysis now mandates the definition of impact categories, with explicit direction on what these categories should be. Definitions of the different aspects and components of the BIA are also much clearer;
  • A new clause 8.6 has been added to specifically focus organisations on the evaluation of their business continuity documentation, including the business continuity capability of their supply chain, legal requirements and the alignment of business continuity preparedness to business objectives.

The modifications introduced by the new 2019 revision should not be difficult to implement on the basis that they introduce greater flexibility, better understanding and remove some of the constraints inherent to the 2012 version.

Timescales for transitioning to the ISO 22301:2019 revision

According to UKAS:

  • Organisations can be certified against the 2019 revision from 30/04/2020;
  • Most certification bodies will cease certification against the 2012 version on 30/04/2021;
  • Organisations certified to the 2012 version must transition to the 2019 revision by 31/10/2022. Certificates against the 2012 version will cease to be valid on 31/10/2022.

Need help?

If your organisation wishes to certify to ISO 22301, or is already certified to ISO 22301:2012 and is considering whether to transition to the 2019 revision, we can help. Contact us for a friendly chat.

  • This field is for validation purposes and should be left unchanged.

Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.