BS 25999 is to be replaced by ISO 22301
The Business Continuity Management standard BS 25999 is going to be replaced by the newly published ISO standard ISO 22301.
ISO 22301’s full title is: ‘Societal security - Business continuity management systems – Requirements’ and the International Organization for Standardization (ISO) defines the standard as:
"...standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties."
The structure of the new ISO standard is very different to BS 25999 (technically BS 25999-2) however the basic elements of BS 25999-2 still exists in ISO 22301. The following briefly describes the similarities and differences between both standards.
- All of the core business continuity elements in BS 25999-2 are present in ISO 22301 too namely: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called "business continuity options"), business continuity plans, exercising and testing etc.
- The business impact analysis requirement is now broken down into several clauses, demanding more precision in its application. The requirements for business continuity plans, including response procedures and recovery plans, are more detailed in the new standard - e.g. the communications section.
- The management section of BS 25999-2 is also transferred to the new standard ISO 22301; document control, internal audit, management review, corrective and preventive actions, human resources management etc. (These also exist in all of the other management standards - ISO 9001, ISO 14001, ISO 27001...).
- However the documentation will be called "documented information” and preventive actions will be called "actions to address issues and concerns".
- The Plan-Do-Check-Act (PDCA) model is not as clearly defined in ISO 22301 as within the old standard BS 25999-2.
- ISO 22301 places an increased emphasis on setting the objectives, and monitoring performance and metrics, therefore bringing business continuity much closer to top management way of thinking. Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.
- ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require increased careful planning for and preparing the resources needed for ensuring business continuity - those requirements are now extended and more clearly structured.
To conclude all of the basic elements of BS 25999-2 are present in the new standard ISO 22301 but ISO 22301 will be more precise and demanding. Organizations that have already implemented BS 25999-2, and want to "upgrade" to ISO 22301, will need to pay additional attention to detail and will need to invest more time into preparing and maintaining their system. On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility - the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.
Certification Europe’s transition policy (from BS 25999 to ISO 22301) will follow shortly and we have been informed that it will late 2012 before UKAS can support this process with us.