The International Organization for Standardization's ISO 22301, Security and Resilience -- Business Continuity Management Systems -- Requirements, is the global standard for business continuity. Updated most recently in 2019, ISO 22301:2019 has gone through some structural changes from the previous version in 2012.
At a high-level basis, if you already have the 2012 version of ISO 22301, don't discard it. Most of its content is still valid, but much of the content has been streamlined for ease of understanding and action. Below are some key changes in the 2019 edition, as well as tips to ensure that you can get the most value from ISO 22301:2019 and its companion standards.
Be sure to also use the ISO 22301 companion standard, ISO 22313:2012, Societal Security -- Business Continuity Management Systems -- Guidance. It supports ISO 22301 by providing additional details on preparing the various elements of a business continuity management system (BCMS). That standard is due for an update in 2020.
Table of contents
Examining the two tables of contents in ISO 22301 shows very few changes, other than some restructuring and renaming of section titles.
According to the standard, the principal changes ISO made in 2019 as compared to the 2012 edition are as follows:
- Requirements for management system standards, which have evolved since 2012, have been applied
- Requirements have been clarified, with no new requirements added
- Discipline-specific business continuity requirements are now almost entirely within Clause 8 (Section 8)
- A restructuring of Clause 8 to provide a clearer understanding of the key requirements
- Numerous discipline-specific business continuity terms have been modified to improve clarity and to reflect current thinking
The introduction added a section, "Benefits of a Business Continuity Management System," which has language that can help justify the need for a BCMS. The ISO modified the Plan-Do-Check-Act management system description to reflect updated ISO management system requirements.
Scope, normative references, terms and definitions
ISO has updated many of the terms in the standard to reflect current views on the profession. The new version provides convenient reference pointers for each term and where they are in the standard's text. In ISO 22301:2019, the committee responsible for the BC standard removed the term maximum tolerable period of disruption, which was used in the 2012 edition. They replaced it with the more general term disruption, which the committee felt had greater flexibility with regard to issues such as length, severity and cause of the disruption.
The following sections have been largely unchanged or simply restructured by ISO:
- Section 4 -- Context of the Organization
- Section 5 -- Business Continuity Management System
- Section 6 -- Planning
Section 7 -- Support has been restructured, and its content has been slightly revised by ISO for the 2019 version. ISO restructured and revised much of Section 8 -- Operation. They've added a new subsection, "Evaluation of business continuity documentation and capabilities," to underscore the importance of periodic examinations of and updates to BCMS documentation and also to ensure that the documentation is compliant with the standard. This subsection was taken from the 2012 version of Section 9 -- Performance Evaluation, which ISO also restructured and revised.
The organization slightly revised content in Section 10 -- Improvement for ISO 22301:2019.
Numerous items in the original standard, such as guidelines for business impact analyses (BIAs) and supply chain business continuity management, have been recast into totally new standards. Specifically, the new BIA standard is ISO/TS 22317:2015, Societal Security -- Business Continuity Management Systems -- Guidelines for Business Impact Analysis (BIA), and the new supply chain BC standard is ISO/TS 22318:2015, Societal Security -- Business Continuity Management Systems -- Guidelines for Supply Chain Continuity.
This is an important trend for BC professionals who wish to ensure compliance with the global standards. The ISO will, over time, issue new standards in its ISO 223XX series that provide additional guidance on key activities defined in ISO 22301.