ISO 22301 to Replace BS 25999-2

According to various sources, the leading business continuity standard BS 25999-2 will be replaced by an international standard ISO 22301 by the end of 2011. This kind of transition is normal – the same thing happens with most management standards, for instance with ISO 27001 when in 2005 it succeeded BS 7799-2. So what are the main changes that ISO 22301 will bring when compared to BS 25999-2?

One important note here – since ISO 22301 hasn’t been published yet, the final version of the standard still doesn’t exist, so some of the things I’ve written here may not exist in the final version. I am using a draft version published in February 2011 on the BSi Draft Review website.

ISO 22301 will have this title: ISO 22301, Societal security – Business continuity management systems – Requirements. Although “Societal security” may sound a little strange in relation to business continuity, here is how ISO defines it: “… standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties.”

At first sight, it is obvious that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301.

  - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -  
Choosing the Right Security Solution: Moving Beyond SSL to Establish Trust
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Let’s take a deeper look.

Similarities…

The biggest similarity is that all core business continuity elements in BS 25999-2 will be present in ISO 22301 too: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called “business continuity options”), business continuity plans, exercising and testing etc.

Business impact analysis will probably be broken down in several clauses, demanding more precision. The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too – e.g. the communication part.

The management part of BS 25999-2 will also be transferred to the new standard – document control, internal audit, management review, corrective and preventive actions, human resources management etc. (by the way, these elements exist in all other management standards – ISO 9001, ISO 14001, ISO 27001…).

However the documentation will be called “documented information”, and preventive actions will be called “actions to address issues and concerns”.

… and differences

Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301 compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as ISO 27001. However, in my view that won’t affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way.

ISO 22301 will obviously put much greater emphasis on setting the objectives, monitoring performance and metrics – therefore bringing business continuity much closer to top management way of thinking.

Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.

ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require much more careful planning for and preparing the resources needed for ensuring business continuity – those requirements are now extended and more clearly structured.

Finally, what will be different about ISO 22301, being an international standard, is that certification bodies will push certification against this standard much harder, so it will gain its popularity much faster.

As a conclusion, all the basic elements of BS 25999-2 will probably be present in ISO 22301 too, only ISO 22301 will be more precise and more demanding. Organizations that have already implemented BS 25999-2, and want to “upgrade” to ISO 22301, will have to pay more attention to detail and will have to invest more time into preparing and maintaining their system. On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility – the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.

Cross posted from ISO 27001 & BS 25999 blog at http://blog.iso27001standard.com

Dejan Kosutic

About Dejan Kosutic

Expert in information security management (ISO 27001 standard) and business continuity management (BS 25999-2 standard)

, , , ,

No comments yet.

Leave a Reply


*