Less text, more flexibility; fewer regulations, more pragmatism - that's the new version of ISO 22301 for Business Continuity Management Systems (BCMS). While it doesn't bring earth-shattering changes, the revised version is still a significant step forward. Find out below what changes you can expect in the new version.
Since its initial publication in 2012, the ISO 22301 standard has become the international reference point for business continuity management systems. According to the annual ISO survey, more than 4,000 organizations are already certified to ISO 22301. This success is not limited to specific industries - we at DQS have certified banks, chemical plants, IT service providers and suppliers to the automotive industry, among others.
To ensure that this evolution continues, the International Organization for Standardization decided to revise the standard to honor the findings of its first years of use. The revision was published in November 2019.
The good news: Few changes
First things first: companies that are already certified to ISO 22301:2012 should have no problems converting to the new version. If you put both versions side by side, you will immediately notice that there have been no structural changes.
Compared to the revisions of ISO 9001 and ISO 14001, which were completed in 2015, this revision is rather modest. The main change in the revisions of other standards was the adoption of the so-called High-Level Structure, a uniform structure for all management systems standards. However, ISO 22301 has always had this structure: in 2012, it was among the first standards to adopt the High-Level Structure.
Since structural changes were therefore not necessary, the standardization body was able to focus on improving the clarity and readability of the standard. Many redundant text passages were deleted, terms are used more consistently, and the inner logic of the text was strengthened.
And even better: Back to the essentials
What makes the new version particularly exciting is the fact that some requirements have been significantly streamlined. A good example of this is section 4.1: where the 2012 version was still prescriptive about what all needs to be determined and documented to understand the context of the organization, the new version simply emphasizes the need to consider internal and external factors. How to achieve this is no longer specified. The need to document this process is also no longer present. We note something similar in Section 7.4 - Communication: large sections have been deleted.
Another clause that has been slimmed down is 5.2 - Management commitment. As before, ISO 22301 requires a clear commitment from top management. However, where the 2012 version still required top management to "actively participate in practicing and reviewing," the new version is limited to the essentials: Guidance, Objectives, Resources, Effectiveness Review, and Continuous Improvement.
Other changes
Apart from a number of minor adjustments whose significance for certified sites is minor in practice, the following changes should be noted:
- There are hardly any new requirements in the revised version. One exception is Section 6.3, where organizations are required to make changes to the BCMS "in a planned manner." This requirement was not made explicit in the previous version, but is unsurprising in itself.
- Section 8.2.2 - Business Impact Analysis (BIA) requires that the analysis take"impact categories" as a starting point.
- Section 8.3, formerly titled "Business Continuity Strategy," is now titled "Business continuity strategies and solutions." The renaming reflects the increased pragmatism of the standard: more important than a grand strategy are the specific solutions to specific risks and impacts.
- The term "risk appetite" no longer appears in the new standard. This term was defined in the 2012 version as "the size and type of risk an organization is willing to take or maintain." The standard shifts the focus from risk appetite to impact: What impact is acceptable?
Revision of the ISO 22313 guide
The fact that the new standard appears leaner is also due to the fact that the requirements have been clearly separated from the guidance. What the requirements are is described in ISO 22301; how to meet them is explained in ISO 22313. The ISO 22313 guidance document, which dates from 2012 just like the standard, is now also being revised.
Timetable and changeover
There is a 3-year transition period starting Oct. 31, 2019, and certificates issued under ISO 22301:2012 will be valid until Oct. 31, 2022, at the latest, or must be withdrawn by that date.
DQS Newsletter
Dr. Thijs Willaert
Dr. Thijs Willaert is Global Director Sustainability Services. In this role, he is responsible for the entire ESG service portfolio of DQS. His areas of interest include sustainable procurement, human rights due diligence and ESG audits.