search account download cart
static-aside-menu-toggler

ISO 22301 Updated

New ISO 22301:2019 Business Continuity Management Standard

The revised version of the ISO 22301 standard covering business continuity was released in October 2019. As a result, the old version ISO 22301:2012 has been superseded by the new version ISO 22301:2019.

In general, this change shouldn't be too significant with no major new requirements added. Other changes include simplified and more consistent terminology, reorder of the content and removal of some duplication.

The Changes

Some of the main changes from the 2012 version are outlined below.

  • Clause 4.1 Understanding the Organisation and its Context

This section has been reduced significantly in length and only covers high level requirements. Documenting what the external and internal issues are is no longer required, they just need to be determined.

The simplification in wording is now more in line with what is used across the other standards such as ISO 9001 and ISO 45001 amongst others.

  • Clause 6 Planning

This clause has been restructured to reflect some of the other current management system standards and now includes 6.3 Planning changes to the BCMS.

  • Clause 7.4 Communication

This clause is now much more similar to the other management system standards with the only difference is that it refers to communicate elements of the BCMS.

  • Clause 8.2.2 Business Impact Analysis

The BIA clause now focusses on the requirement to define ‘impact types and criteria’ relevant to the organisation’s context and to use these to determine impact over time.

Within the Risk Assessment clause 8.2.3 the reference to ‘risk appetite’ has been removed. However, it still refers to it in clause 4.1 and 8.3.3.

  • Clause 8.3 Business continuity strategies and solutions

This title of this clause has changed from ‘Business continuity strategy’ to ‘Business continuity strategies and solutions’. However, it is nothing new, so no need to be confused by the new terminology.

In the transport clause 8.3.4 f under resource requirements, it now include ‘logistics’ as well. Also, there it is more clearly defined that business continuity solutions can be activated when needed in clause 8.3.5, but that should be in place throughout the organisations who have used the old standard as well.

  • Clause 8.4 Business Continuity Plans and Procedures

This clause has changed slightly in the wording and may require some updates to your BCMS to be able to demonstrate this is addressed.

Under the response structure in clause 8.4.2 the standard now outlines that Business continuity plans and procedures shall:

  • Have a structure that identify one or more teams responsible for responding to disruptions and the relationships between them.
  • Team personnel and their alternates must be identified. Additionally, the responsibility, authority and competence must be stated.

Consider here how the relationship between teams are demonstrated. Also, alternates is a new requirement in the standard.

Another thing to consider if relevant for your organisation is that the BCP contains details on how to manage the immediate consequences of a disruption regard to the impact on the environment as stated in clause 8.4.4.2.

  • Clause 8.5 Exercise Programme

Some new words have been used in this clause as well. Organisations now need to develop teamwork, competence, confidence and knowledge for those who have roles to perform in relation to disruptions

  • Clause 9 Performance Evaluation

This clause ‘Monitoring, measurement, analysis and evaluation’ now also require to identify when results from monitoring shall be analysed, evaluated and by whom.

The reference to performance metrics has been removed. However, it does not mean you should automatically stop producing them if they are beneficial.

This clause has been tidied up and shortened significantly.

For the Management Review section, inputs and outputs have been re-organised and reduced.

alphaZ documents for ISO 22301:2019 Compliance

To ensure our documents continue to meet the requirements of this updated standard we have made some changes to some of the key documents that are required for ISO 22301 compliance;

  • ER16 Business Continuity Risk Register - the Business Impact Analysis section now includes a column for Maximum Tolerable Period of Disruption (MTPD) and a column to log Recovery Time Objective (RTO) for each critical function
  • F-Q94 Business Continuity Plan Form - section where responsible person identified now includes name of Alternate(s).

As the alphaZ package in written around sensible business management, management of risk and controls to ensure continuity of service this update to the ISO 22301 has not led to any significant change or updates and any management systems setup using IMS1 to the requirements of ISO 22301:2012 just need to update the 2 files listed above and the update the single ISO standard reference to 22301 in IMS1 to transtion to this standard.

 

payment logos