I am sure that most of you will now have seen that ISO 22301 has been published this week.  This standard is a requirements standard against which you can achieve accredited certification as you could with BS25999-2.  Of course, the standard can be used to simply inform your own programme and report to customers, management and other interested parties without going through certification. ISO 22301 simply tells you what you must achieve, not how to do it.

ISO 22313 will provide more detailed guidance and should be published next year.  

Those who are already certified to BS25999-2 will be able to transistion to ISO 22301 and these arrangements will become clear shortly.  Those who are already going through certification to BS25999-2 will also be able to transition to ISO 22301, there is no need to re-start the process.

ISO 22301 covers much the same ground as BS25999 and requires that organizations develop a management system and undertake all of the conventional business continuity stages, including BIA, risk assessment, developing a strategy, implementing solutions and plans, exercising and testing.  There are some differences, it is more specific around warning and communication and dealing with the initial stages of incident response; and there is a need for performance metrics - i.e. measures to determine how effectively business continuity is being managed.

BS25999-2 will be withdrawn in November and the UK is adopting ISO22301 as its replacement.  Norway, Sweden, South Africa and Thailand have already announced that they are adopting it and we can expect to see more national standards bodies around the world adopting ISO22301 as their recognised standard.  As such, the influence of ISO 22301 will be world wide and represents a major step forward in imporving societal resilience.

The final editing process is now underway for ISO 22301 Societal Security - Business Continuity management systems - requirements.  As only minor editorial changes are allowed at this stage, the final publication will be substantially as was seen at FDIS stage.  We expect publication to be in mid-May 2012 once final proofing has been completed.

I am very pleased to say that ISO 22301 has been approved and will now proceed to publication as anticipated.  This is excellent news and we now have an International Standard for business continuity for the very first time.

This is a requirements standard and we anticipate that the audit bodies will already be preparing for its implementation and will soon offer accredited certification against the standard.  Those already certified to BS 25999-2 will have an opportunity to transition to the new standard but the details of this have still to be formally worked out.

ISO 22313 which provides guidance to ISO 22301 is currently at DIS stage and available for comments on the BSI web site or through your national standards body if outside the UK.

Our ISO 22301 training course is available!

As ISO 22301 moves slowly towards finalisation, it is worth highlighting that there will be a considerable effort by BSI and others to publicise the new standard.  For those of you with an interest, there are events planned as follows:

• Late May in Paris, Madrid and Barcelona
• May 9th in The Netherlands (Ede)
• September in the UK

I am sure that there are others but as I have been asked to speak at these, I thought it worthy of mentioning them.  I will provide more details as we have them.

ISO will also publish an article within the internal ISO magazine in order to publicise the new standard across the ISO organisation itself.  I am sure that other popular sources of information on business continuity will be publishing articles too.

As far as the FDIS is concerned, we have spotted a few minor quirks that need sorting out before final publication.  There are some rather oddly worded notes at the start of each section which are simply confusing and we will seek to have these removed and the pagination is a little strange in that some headings appear at the foot of the page rather than being kept with the relevant text.  These are minor points of administration and should not present any difficulty.

As previously mentioned the Final Draft International Standard has been released.  The BSI have taken the unusual step of making this available for purchase, a recognition of the widespread interest.  This can  be found at - http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030259977

The FDIS still needs to be approved, but if it is, then publication will follow and so I would currently anticipate that the final version should be available in May of this year.