The standard that will introduce a business continuity management standard at international level for the first time, ISO22301, is moving closer to final publication. After some hiccups and disagreements within the committee responsible, a meeting in Beijing has finally resolved to move forward to Final Draft International Standard (FDIS).
The secretary has to submit this to the International Standards Organisation (ISO) in Geneva and there are then some administrative activities leading to publication of the FDIS. This does not usually take very long but at the previous stage there was a delay of some weeks before official publication. The FDIS stage itself then requires a 2 month consultation period where comments may be submitted, however only minor changes can be made at this time.
Once these comments have been dealt with and whatever changes agreed and made, the final document is published. So we might consider that publication of the FDIS will take place at the end of the year, the 2 months consultation will complete by the end of February, further consideration and publication is therefore liable to be in Q2 2012.
So for countries with no existing national standard, they can adopt the ISO immediately. For those that have existing standards it is slightly more complicated. In the UK we must consider what happens to BS25999-2. We have a working presumption that this will be withdrawn, however BS25999 is in use and companies have existing certifications, and it is written into US legislation. So exactly when BS25999-2 is withdrawn has still to be discussed and formally agreed.
We also need to consider whether BS25999-1 should be withdrawn in consequence: the guidance to accompany 22301 (ISO 22313) is following close behind but is not yet published so again there is a question of timing, and indeed there is a question of whether the UK wishes to retain BS25999-1 in some form, perhaps through updating and evolution incorporating key points from the various PDs and PAS200 that have been published since. So the future of this has also still to be formally decided.
Companies with existing certifications will be able to migrate to ISO 22301 certification and there is an established process for this. However, it is clear that we will all need more information about the detail of this and now that we have some certainty of progression to publication, this is discussion that can be opened with the relevant organisations.