The Covid-19 pandemic has brought into sharp focus the need for every organization to have a business continuity plan.
As one of the most well-respected frameworks for business continuity, the ISO22301 standard has a part to play in helping organizations cope with the current crisis while preparing for the next one.
ISO updated the standard late in 2019 – little did they know that this was probably one of the most timely updates they have ever done.
We at CertiKit have announced an update to our popular ISO22031 toolkit for business continuity. This update brings the toolkit in line with the 2019 version of the standard and will be provided free of charge to all customers who bought it in the last 12 months, or who have extended their support subscription.
But that’s not the full story. We have also redesigned the toolkit for our new look and feel, which means a new layout with fresher fonts and colour scheme and more use of Microsoft Office features such as themes.
There are content updates, too, with more on planning for a pandemic, better tools (with new dashboards) and a handy toolkit index to clearly show which clauses of the standard are addressed by which documents.
We’ve also given our forms a revamp and done away with the need to have Microsoft Visio installed to amend diagrams such as procedure flowcharts.
The first thing to say is that the foreword to the new version of the standard clearly states that “requirements have been clarified, with no requirements added”.
So that would suggest there’s very little to do in moving from the old version to the new. But I believe that statement minimises what is actually quite a significant revamp of the ISO22301 standard. Let me tell you why.
At its first release, ISO22301:2012 was the first ISO standard to be written according to the new Annex SL format, or high-level structure. This is a standardised set of headings, and in many cases wording, which is now used across all ISO standards that have a management system at their heart.
It makes it easier to run the same management system across multiple standards, such as ISO9001 (quality management), ISO14001 (environmental management) and of course ISO22301.
Over the seven years to 2019 ISO has been gradually honing and developing the Annex SL layout (renamed to simply “Annex L” by ISO in 2019) with the result that it is now subtly different from those early days in 2012.
This is reflected in the odd minor change in headings, for example, the dropping of the term Organizational from clause 5.3 Roles, responsibilities and authorities, and clause 8.5 is now Exercise programme rather than Exercising and testing.
In many cases this has meant simplification of the requirements of the standard; for example, clause 4.1 Understanding the organization and its context has shrunk from 14 lines to two, with the missing 12 lines reduced to a simple “NOTE”.
Clause 5.2 Management commitment has been merged into 5.1 Leadership and commitment and is now roughly half the length. In fact, overall there are three pages fewer in the 2019 version, although much of that difference is down to fewer terms and definitions – there are a lot fewer of these (31 vs. 55); instead ISO22300 – Security and resilience – Vocabulary has become a Normative reference.
There are also additions. The content of 6.1 Actions to address risks and opportunities has been split into two subsections, as has 6.2 Business continuity objectives and planning to achieve them. A new clause, 6.3 Planning changes to the BCMS, has been included.
Some text has simply been moved. Clause 9.1.2 Evaluation of business continuity procedures has jumped from the Performance evaluation section to the Operation section and is now clause 8.6 Evaluation of business continuity documentation and capabilities.
Possibly the most significant change in the 2019 standard is that Clause 8.3 is now Business continuity strategies and solutions. This is a change that’s worth talking about as the term solutions is a new one; what does the ISO mean by this and how do solutions fit in with strategies, plans and procedures?
Let’s take an example. Based on your business impact analysis and risk assessment, you may decide that the risk of flooding of your main building is something you need to plan for. So you decide that the strategy you will adopt is to relocate to an alternative site if the worst happens.
In order to achieve this strategy, you may need one solution for emergency transport (to get people and other resources to the alternate site), a second for network redirection (so that people working at the alternate site have access to IT systems) and a third for alternate staffing (to ensure those areas of the business that are most important have enough people to support them). So that’s one strategy that makes use of three solutions to achieve it.
There will then be a plan which will set out how a flooding event will be responded to. There may be more than one strategy available to cope with this type of incident, so a choice between strategies may need to be made. If you choose the alternate site strategy, a set of procedures will be invoked to deliver the solutions that make up that strategy.
These will define how to arrange emergency transport, how to redirect the network and how to find more staff. The idea is to create a flexible framework where strategies and solutions may be selected dynamically based on the circumstances, given that what actually happens is rarely what was planned for. So ISO22301 has maybe become a bit more “real world” in its approach.
So what else has changed? Well, there’s a more explicit need to define the impact types used in your business impact analysis (clause 8.2.2) and a need to consider the costs and benefits involved in choosing your strategies and solutions (clause 8.3.3).
A new note makes clear the difference between clause 6.1 Actions to address risks and opportunities (these are to do with the BCMS itself) and clause 8.2.3 Risk assessment (these risks are to do with the disruption of business activities). Generally, the wording has changed in a lot of areas too numerous to mention.
I hope you can see that the 2019 version of ISO22301 is by no means the same document as its predecessor. An assumption is that it may trip you up at audit time if you’re transitioning from one to the other, so be careful.
In our toolkit, we’ve worked hard to address the new version of the standard in a no-nonsense, effective way, always with the obvious thought that business continuity has never been a more important issue than it is today.