What is new?
The new revision of ISO 22301 – Business Continuity Management Systems was published on October 30 and is now available as ISO 22301:2019; the changes are minor.
The focus was laid on increasing the standard’s practical suitability; this is already reflected by the new name – the former title „Societal security” of the 2012 version has been changed to „Security and resilience – Business continuity management systems – Requirements” in the 2019 version.
ISO 22301 is the first Standard that specifies the requirements for implementing and maintaining an effective business continuity plan. It will help an organization to respond more effectively and to recover more quickly to disruption, thus reducing the impacts on persons, products and the company performance.
The key changes in ISO 22301:2019:
- focus on a resilient organization to adapt to changes more effectively
- focus on quick recovery from disruption based on response plans and employees who know how to respond in case of disruptive incident
- systematic identification of internal weaknesses to mitigate them and implementation of plans to respond in case of disruption
- redundancies of texts and requirements have been removed
- 100% adaption of the „high level structure“
- improved and „process-oriented“ structure – clear and logical operational sequence
- emphasis on processes
- enhanced user-orientation such as
- 4.1 – “Context of the organization” – documentation requirements have been reduced
- 5.1 –„Leadership and commitment“ and management commitment are now summed up in one clause
- 5.2 – Active participation of management in response exercises is no longer required
- 6.3 – It is now required to plan the changes to the BCM management system
- 8.2 – A BIA (Business Impact Analysis) now should take impact categories as a starting point
- 8.3 – In the previous version of the standard, the focus was on BCM strategies; now, the practical focus is also on finding solutions for specific risks and impacts
- improved integration into existing management systems, such as ISO 9001, ISO 14001; ISO 45001, etc.
- instead of an organization’s risk appetite, the focus is now on impacts and the extent to which an impact is acceptable for an organization.
The transition period will be 3 years, which means, after 30 October 2022 certificates for ISO 22301:2012 will no longer be valid.