What you will learn in this tip: The impending approval of the new global business continuity standard ISO 22301 is important news for those involved in their organization's business continuity planning. Learn about how ISO 22301 can help you, who is using it and why.
There are several domestic and international business continuity management (BCM) standards that impact disaster recovery and business continuity planning, such as NFPA 1600:2010, BS 25999 Part 2:2007 and ASIS SPC.1-2009. Each of these standards has been recognized by the U.S. Department of Homeland Security’s Private Sector Preparedness (PS-Prep) Program, a voluntary program for accreditation of new or existing BCM programs. However, the impending approval and distribution of a new global BCM standard -- ISO 22301 -- might change everything for business continuity planners and IT managers involved in disaster recovery planning.
History of ISO 22301
Development on a global standard for BCM began in the mid-2000s. The International Organization for Standardization (ISO) Technical Committee No. 223, referred to as both TC 223 and “Societal Security,” examined existing BCM standards and created a framework for a global BCM standard. The ISO adapted content from many of its existing standards, such as ISO 9000 and ISO 14000, into the new BCM standard.
However, the proliferation of BCM standards released between 2000 to 2010 made development of a global standard more difficult for officials. Most of the European Commission members adopted an existing BCM standard, typically the British standard, BS 25999, while nations such as Japan and India turned existing banking and finance standards into national standards.
Other countries, such as the U.S., Canada, U.K., Australia and Singapore, developed their own BCM standards.
Those national standards had common components, such as the need for BCM policy, a structured sequence of BCM plan development activities, exercising, awareness and training, records management, maintenance and continuous improvement. As the number of BCM standards increased, business continuity experts recognized that the time was right for a single global standard. A single standard will offer business continuity practitioners a set of guidelines for preparing, testing and deploying plans. The new standard will be especially valuable to multinational companies that currently must comply with several different BCM standards.
In December 2007, the committee released the ISO's Publicly Available Specification (PAS) 22399, defined as “Societal security — Guideline for incident preparedness and operational continuity.”
ISO PAS 22399 provided a way for the global community to examine a prospective BCM standard, which would also leverage heavily off of existing standards, especially the British standard, BS 25999. ISO 22301 was introduced late in 2010, and superseded PAS 22399.
According to the ISO, the standard will be published by the end of 2011 at the earliest; however, many experts believe the standard will be published early in 2012.
What is ISO 22301?
ISO 22301's framework is consistent with established BCM practice as defined by the British standard and the 2010 edition of the Business Continuity Institute’s Good Practice Guidelines.
The best bet is to purchase the standard from the ISO. You can obtain the discussion version now, or wait until the approved version becomes available (probably early next year). No matter which version you choose, ISO 22301 will be the principal governance model for business continuity and you should purchase the new standard when it becomes available.
Importance to BC professionals
With a universally accepted standard, plus detailed practices and procedures to add substance to the standard’s framework, BCM professionals will finally have a methodology that supports their efforts. For IT managers who perform technology disaster recovery, ISO 22301 may be useful, but the global standard for IT disaster recovery is ISO 27031:2011 entitled, “Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity” may be more pertinent.
The standard will be especially important for multinational firms that need a consistent cross-enterprise approach to BCM. The standard is also easily scalable so it can be adapted to organizations of nearly any size. Its structure and organization also make it a strong audit tool.
Who is using ISO 22301
At the moment, the “discussion version” of ISO 22301 is awaiting formal approval by ISO member nations so that it can be officially approved and released. Since the final version may be modified from the current version, it is advisable to wait until the final version is released and the two documents are compared to identify any variances.
If organizations already use an existing standard, such as the U.S. or British standards, they should continue to do so. When their overall BCM program is being reviewed, use that time as an opportunity to transition to the global standard.
On the assumption that BCM programs are audited and reviewed annually (as they should be), and considering that ISO 22301 is expected to be approved and released by mid-2012, we believe that plan auditing and updating activities are an excellent point in time to get in synch with the new global standard. While there are not likely to be any penalties for not using ISO 22301, it makes sense to get aligned with the global standard.
With regard to the PS-Prep program, since the current British standard BS 25999 is likely to be superseded by ISO 22301 when it is officially released, PS-Prep can simply replace BS 25999 with ISO 22301.
Existing BCM standards should not be discarded, as they can provide a wealth of detailed information for fleshing out ISO 22301’s framework. An example of such a standard is the joint ASIS/BSI BCM.01-2010 standard, “Business Continuity Management Systems: Requirements with Guidance for Use.” The section on guidance is based on BS 25999 and provides additional detail on how to use the standard’s components.
But approval of ISO 22301 is only the beginning. The proposed ISO 223XX standards are in development, and will be appearing in the coming years. Expect there to be new BCM standards from the existing standards organizations. One example is the BSI’s Published Document PD 25666:2010, “Business continuity management - Guidance on exercising and testing for continuity and contingency programs.” Designed to augment BS 25999, this standard may become the foundation for ISO 22398 (noted earlier), just as BS 25999 was a key input for ISO 22301.
Regardless of which standards you choose to use, be sure to adopt at least one standard as the framework of your BCM program. If you are using one or more of the existing standards, the transition to ISO 22301 is expected to be relatively easy.
About this author:
Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.