What is the latest version of ISO 22301?January 4th, 2021 By Kaytieduffield
In order to stay relevant in a constantly changing world and to develop alongside businesses, ISO standards are reviewed every five years. In October 2019, the latest version of the international standard for business continuity management systems (ISO 22301) was published to create the latest version. With minor amendments in 2014, the 2019 revision brings slight changes to the standard, most notably more flexibility and less prescriptiveness, which in return adds more value to organisations and their customers.
What are the key changes to ISO 22301?
- A more streamlined approach to integration:
While the structure of ISO 22301 remains the same, the ISO 22301 version offers a more streamlined approach. Several sections of the standard are significantly less detailed and stripped back, which enables a smoother alignment and integration with other ISO standards, such as ISO 9001 (the context and scope clauses are now more closely aligned with other standards). If you are looking to gain ISO 22301 and already have an ISO in place, one of the benefits of this update is rendering a smoother integration with other systems.
- Greater focus on strategy and solutions:
As discussed, one of the most notable changes to ISO 22301 is the process of removing particular details, which not only helps align the standard to other ISOs but focuses on the abilities and competence of those responsible for the management system process.
ISO 22301 is a broader approach which is based on strategy and solutions. Therefore, this update requires organisations to not only develop high level strategies (as before) but also requires an ability to define risk solutions. Defining and identifying resources concerning solutions and not strategies affect the budget planning for your business continuity management system. The new standard now makes it clear that the risks and opportunities needing to be addressed relate to the effectiveness of the business continuity management system, as opposed to the risks of disruption.
Another change to the ISO 22301 standard is the addition of a mandatory clause, which previously was implied, requiring organisations to manage the changes to their business continuity management system in an intended manner. Your organisation can achieve this by considering the purpose and consequences of the change, what resources you have available to adopt the change, and how this change affects the integrity of your business continuity management system.
- More defined approach to your business impact analysis:
The new standard also addresses risks and opportunities which relate to the effectiveness of your business continuity management system, as opposed to the risk of disruption. Conducting your business impact analysis is now more defined and explains the relationship between unacceptable impacts, the maximum period of disruption tolerable, as well as the priority of time frames for an activity to resume.
Your organisation’s business continuity documentation requires the effectiveness of both your business impact analysis and risk assessment plan be evaluated for the suitability and competence. Previously this was only an implicit requirement in the name of effectiveness. This requirement highlights the role of your business impact analysis and risk assessment plays within your business continuity management system.
- Acknowledging acceptable levels of activity:
Another notable difference is that of the concept of minimum activity levels; this changes the need to identify minimum levels of products and services to minimum acceptable levels of activity, which reflects the minimum acceptable capacity of resumed activities – acknowledging that your organisation may not get back to your prior stage.
- Acknowledging the need for supply chain management:
The final key difference is something which had been criticised in the former standard but is now a stipulation in regard to outsourcing processes and supply chains – requiring your business continuity management system to include managing outsourced processes and supply chains, acknowledging the need to control and review a company’s supply chain as part of your business continuity management system. This recognises the critical link a supply chain has to an organisation’s business continuity.
What are the next steps?
While ISO 22301 includes key differences when compared to its predecessor, there are no substantial differences to the processes which make up your business continuity management system. These updates have allowed the standard to be streamlined and stripped back, removing prior repetition as well as adding requirements and clauses which focus on certain key areas.
If you currently hold the previous version of ISO 22301, we anticipate a three-year transition period to the newer ISO 22301. After 30 October 2022 older certificates for ISO 22301 will no longer be valid. If you need help transitioning to the newest version of your business continuity standard, IMSM can help, or if you are interested in implementing an ISO 22301 business continuity management system, then get in touch today to start your ISO journey.
For a free quotation or remote presentation by an ISO specialist, contact us today!
IMSM Ltd Head Office
The Gig House