I am sure that most of you will now have seen that ISO 22301 has been published this week.  This standard is a requirements standard against which you can achieve accredited certification as you could with BS25999-2.  Of course, the standard can be used to simply inform your own programme and report to customers, management and other interested parties without going through certification. ISO 22301 simply tells you what you must achieve, not how to do it.

ISO 22313 will provide more detailed guidance and should be published next year.  

Those who are already certified to BS25999-2 will be able to transistion to ISO 22301 and these arrangements will become clear shortly.  Those who are already going through certification to BS25999-2 will also be able to transition to ISO 22301, there is no need to re-start the process.

ISO 22301 covers much the same ground as BS25999 and requires that organizations develop a management system and undertake all of the conventional business continuity stages, including BIA, risk assessment, developing a strategy, implementing solutions and plans, exercising and testing.  There are some differences, it is more specific around warning and communication and dealing with the initial stages of incident response; and there is a need for performance metrics - i.e. measures to determine how effectively business continuity is being managed.

BS25999-2 will be withdrawn in November and the UK is adopting ISO22301 as its replacement.  Norway, Sweden, South Africa and Thailand have already announced that they are adopting it and we can expect to see more national standards bodies around the world adopting ISO22301 as their recognised standard.  As such, the influence of ISO 22301 will be world wide and represents a major step forward in imporving societal resilience.

I have been asked by many people about obtaining a copy of the ISODIS 22301.  It should be available via your national standards body (e.g. the BSI) or directly via the ISO web site.  However, I recognise that in practice this is often a dull and time consuming process so I have placed a copy in the Resources section of this web site.

Oprel will soon be offering a suite of public training to compliment our consultancy and in-house training. More soon.

ISO22301 is now published for public comment, a stage known as DIS (Draft International Standard) and this will be the International requirements standard for business continuity.  It will be accompanied by guidance in a separate document which is still under development.  The guidance has recently been re-numbered to ISO22313 which is closer fit to the conventions for numbering related ISO standards.  Unfortunately the ideal numbers had already been allocated to unrelated standards.

ISO22313 will therefore fulfil approximately the function of BS25999-1 although it will have the advantage of being written at the same time as the requirements document, and hence will cover the management systems elements absent from BS25999-1.

After a long time in gestation, ISO22301 has finally been published by ISO as a draft international standard.  This provides the first opportunity for the community at large to see and comment upon this to provide feedback to the committee and hence to improve the content.

The current draft has a number of recognised weaknesses, as the project team leader I am acutely aware of these.  There is a certain amount of repetition which may be confusing and this has largely arisen because of the constraints of trying to standardize management systems approaches between standards.  What the UK audience has been particularly asked to consider is whether the specific business continuity content in section 8 meets UK requirements - does it include things that we are not happy about or does it exclude things that we feel are vital?  The document certainly reduces some of the prescriptive requirements in terms of the detail and this was a deliberate choice - but in doing so, have we lost anything of importance.

At an International level this provides the first continuity management standard that will be applicable across regions and countries, and in doing so is it fit for purpose?  We think it is a good start but it is not the finished article so please feel free to provide feedback to me or your national standards body (BSI in the UK).