Every five years each ISO Standard is reviewed to check that they remain useful and relevant to businesses. During a revision, the ISO committee tweaks the ISO so that it can keep up with the challenges businesses face.
In 2019, the Standard for business continuity came up for review. Fortunately, it did not need a drastic revision as it already conforms to the high-level Annex SL structure, which is being gradually rolled out across all ISOs.
Instead, the changes were minimal and focused on making the requirements easier to understand. Unnecessary duplication has also been removed to reduce the workload for businesses.
So, what exactly is different in the 2019 iteration?
What is different in ISO 22301:2019?
The changes to ISO 22301 are more like tweaks – there are no new requirements to worry about. But the changes to the wording and a few clarifications mean that you may need to adjust your business continuity plans in order to stay compliant with the Standard.
Here’s a quick breakdown of the key changes:
Some terms and definitions have been removed from this section for greater clarity. Others, such as ‘disruption’ and ‘impact’, have been added to aid understanding.
This section, on the organisation and its context, has been edited and shortened. You won’t need to document what your ‘context’ is going forward. Instead, you will simply need to determine what your internal and external issues are.
Previously, you would need to review your business continuity planning for ongoing suitability in this section. Not anymore – this requirement has been moved and is now only found within Management Review inputs.
This clause has also been tweaked to be more pragmatic. While senior managers should still be involved in the process, the ISO no longer says that they must be actively involved in exercising and testing the plan. This should free up their time for other essential business tasks.
This section has been neatly restructured and one of its requirements revised. To comply with Clause 6.3, you must now articulate and plan changes to your business continuity plan. You were probably doing this already, so this shouldn’t be a tricky thing to include in your management system.
This clause is now focused on the communication of your Business Continuity Management System. Communications for keeping your business going, such as in the event of a disruption, have been shifted over to Clause 8.
This clause has seen the most alterations, so it worth paying careful attention to these.
You must now define the impact types that you will assess over time for your Business Impact Analysis. This includes financial, legal and reputational impacts.
Emphasis has also now been added to finding solutions for risks and impacts, with each continuity strategy including one or more solutions. Each one must be regularly reviewed, and their ongoing relevance confirmed.
Clause 8.4 has had some minor, but notable, tweaks in its wording. Business Continuity Plans must now have defined response structures, which must be built so that one or more teams are responsible for responding in the event of a crisis. Their relationships must also be clarified, and each team must have nominated ‘alternates’. These must then have their authority, competence and responsibilities determined.
A final addition to this clause is that you must now also consider the impact of disruptions on the environment.
A slight alteration to the wording means that you must also state when your monitoring results will be assessed, as well as by whom.
To aid understanding, Management Review inputs and outputs have been reorganised so that they are more succinct.
What are the benefits of the changes to ISO 22301?
- More flexibility when developing your Business Continuity Management System
- Clearer Business Impact Analysis requirements
- Reduced documentation for the Context of the Organisation
- More pragmatic requirements for the involvement of senior staff
- Emphasis on solutions
- Greater confidence in alterations to the Business Continuity Management System
I have ISO 22301 – what should I do now?If you currently have ISO 22301 and wish to keep it, you will need to upgrade to the 2019 version and become certified in it. The revision was published in October 2019, so you have three years from this date to make the switch.
If you have not moved over to the 2019 version by the end of October 2022, your accreditation may not be accepted by third parties.
Making an upgrade may seem daunting, but you don’t have to do it alone. If you need support, we can guide you every step of the way and re-write your management system so that it complies to the 2019 version.
Once the upgrade is done, we will review and approve it so that you can be issued with a brand new ISO 22301:2019 certificate.
If you’d like to find out more about the process or want to kick-start your upgrade, get in touch with us at 0845 86 26 246 or drop us an email at firstname.lastname@example.org.