Building Resilience: What to look out for in the latest ISO 22301:2019 Business Continuity Management System Standard

12. February 2020 Uncategorized 0
Building Resilience: What to look out for in the latest ISO 22301:2019 Business Continuity Management System Standard

Since its initial publication in 2012, the ISO 22301 standard has become the international benchmark for business continuity management systems and according to an ISO survey, over 4000 organizations globally hold an ISO 22301 certificate. With this revision, there is a definite improvement that will bring even more value to its users. This new version was published in November 2019.

The Good News: Changes are Limited

Let’s start with the main point: if you are already certified to ISO 22301:2012, you should have no problem whatsoever with the transition. A side-by-side comparison shows that there have been no major structural changes to the standard.

One of the main reasons that revisions of ISO management system standards have been challenging in the last couple of years has been the adoption of the High-Level Structure, which is a unified structure and core text for all ISO management system standards. However, the 2012 version of ISO 22301 already had the High-Level Structure – it was one of the very first ISO standards to feature this new structure.

Therefore, rather than rewriting the whole standard, the working group could focus on the wording and the clarity. Many redundant sections have been curtailed, the definitions have become more consistent and the text has become more logical.

The Great News: Back to the Essence of BCM

What is particularly interesting is how many requirements have been stripped back to their essence. Section 4.1 is a good example: whereas the 2012 version prescribes what an organization needs to do (and document!) in order to understand the organization and its context, the new version merely states the need to “determine external and internal issues” without specifying what this entails. It does not say which aspects need to be taken into account, nor does it include a requirement to document this process.

Something similar is happening in section 7.4 on communication: the new version is markedly less prescriptive.

Another requirement that has been trimmed is the involvement of top management (5.2). Both the old and the new version require top management to commit to the BCM policy. However, whereas the old version went as far as to require top management to “actively engage in exercising and testing”, the new version is more pragmatic in its approach and focuses on what is really needed to maintain an effective BCMS.

Other Changes

Beside a large number of minor adjustments with little or no impact for certified sites, there are a few changes worth highlighting:

  • One of the very few new requirements is clause 6.3, which requires organizations to make changes to the BCMS “in a planned manner”. Although technically this requirement is new, the content of the clause should not be a surprise to anyone.
  • Section 8.2.2 on Business Impact Analysis (BIA) now stipulates that the BIA should take impact categories as a starting point. While many organizations are already defining impact categories in their BIA, the new version of the standard makes this mandatory.
  • Section 8.3 has been renamed from “Business Continuity Strategy” to “Business continuity strategies and solutions”. This reflects the increased pragmatism of the standard: the focus is not so much on developing a grand strategy to ensure business continuity, but rather on finding solutions for specific risks and impacts.
  • The term “risk appetite” has been removed from the standard. In the 2012 version, “risk appetite” was defined as the “amount and type of risk that an organization is willing to pursue or retain”. The new standard, however, is right to abolish the term. Not only is “risk appetite” a rather subjective issue, it is also ultimately irrelevant: what matters is not the risk an organization is willing to take, but the level at which the impact of not resuming activities would become unacceptable to an organization.

Revision of the ISO 22313 Guidance

By trimming down the standard to its essence, ISO has achieved a much clearer separation between the requirements (what) and the guidance (how). The guidance document ISO 22313, which dates back to 2012, will also be updated to reflect the changes in the ISO 22301 standard. It is expected to be published shortly after the new version of ISO 22301 is released.

Timeline and Transition

The new version of ISO 22301 was published in November 2019.

Starting from the publication date, there will be a transition period of three years. This would mean that all certificates to the 2012 version would ultimately lose their validity in November of 2022.

Culled from

P.S: Tenol Alpha has supported organizations like Kwara State Internal Revenue Service, United Bank of Africa, among others in getting ISO/IEC 22301:2012 BCMS Certified. So request for a quote today to get started with yours! Call Tope on 08068466957 for more information!

Leave a Reply

Your email address will not be published. Required fields are marked *