I am sure that most of you will now have seen that ISO 22301 has been published this week.  This standard is a requirements standard against which you can achieve accredited certification as you could with BS25999-2.  Of course, the standard can be used to simply inform your own programme and report to customers, management and other interested parties without going through certification. ISO 22301 simply tells you what you must achieve, not how to do it.

ISO 22313 will provide more detailed guidance and should be published next year.  

Those who are already certified to BS25999-2 will be able to transistion to ISO 22301 and these arrangements will become clear shortly.  Those who are already going through certification to BS25999-2 will also be able to transition to ISO 22301, there is no need to re-start the process.

ISO 22301 covers much the same ground as BS25999 and requires that organizations develop a management system and undertake all of the conventional business continuity stages, including BIA, risk assessment, developing a strategy, implementing solutions and plans, exercising and testing.  There are some differences, it is more specific around warning and communication and dealing with the initial stages of incident response; and there is a need for performance metrics - i.e. measures to determine how effectively business continuity is being managed.

BS25999-2 will be withdrawn in November and the UK is adopting ISO22301 as its replacement.  Norway, Sweden, South Africa and Thailand have already announced that they are adopting it and we can expect to see more national standards bodies around the world adopting ISO22301 as their recognised standard.  As such, the influence of ISO 22301 will be world wide and represents a major step forward in imporving societal resilience.

The final editing process is now underway for ISO 22301 Societal Security - Business Continuity management systems - requirements.  As only minor editorial changes are allowed at this stage, the final publication will be substantially as was seen at FDIS stage.  We expect publication to be in mid-May 2012 once final proofing has been completed.

As ISO 22301 moves slowly towards finalisation, it is worth highlighting that there will be a considerable effort by BSI and others to publicise the new standard.  For those of you with an interest, there are events planned as follows:

• Late May in Paris, Madrid and Barcelona
• May 9th in The Netherlands (Ede)
• September in the UK

I am sure that there are others but as I have been asked to speak at these, I thought it worthy of mentioning them.  I will provide more details as we have them.

ISO will also publish an article within the internal ISO magazine in order to publicise the new standard across the ISO organisation itself.  I am sure that other popular sources of information on business continuity will be publishing articles too.

As far as the FDIS is concerned, we have spotted a few minor quirks that need sorting out before final publication.  There are some rather oddly worded notes at the start of each section which are simply confusing and we will seek to have these removed and the pagination is a little strange in that some headings appear at the foot of the page rather than being kept with the relevant text.  These are minor points of administration and should not present any difficulty.

As previously mentioned the Final Draft International Standard has been released.  The BSI have taken the unusual step of making this available for purchase, a recognition of the widespread interest.  This can  be found at - http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030259977

The FDIS still needs to be approved, but if it is, then publication will follow and so I would currently anticipate that the final version should be available in May of this year. 

Oprel are pleased to announce the launch of our training courses which can be provided as bespoke in-house courses or you can attend the public courses.  We are offering a course on implementing ISO 22301 taking you through all of the steps needed to implement this new standard, due for publication later in 2012.

Our larger offering is a new set of courses, organized as 10 modules and with study in between these modules where you can study in greater depth and apply what you have learned.  These courses take you through the basics of business continuity and then through the entire lifecycle, combining study with practical exercises.

We are trying to offer a different form of training to our attendees.  The training is not just in the class but is supported by mentoring and information sharing between modules.  Our aim is to impart knowledge and capability, you should emerge as a competent business continuity practitioner.  Too many courses are designed to cram information and then to take an exam for qualifications, but here we are aiming to produce competent people over a longer period with more in-depth support.

If this sounds interesting to you, please contact us.