What is the latest version of ISO 22301?

In order to stay relevant in a constantly changing world and to develop alongside businesses, ISO Standards are reviewed every five years. In October 2019 the latest version of the International Standard for Business Continuity Management Systems ISO 22301 was published to create the latest version: ISO 22301:2019. With minor amendments in 2014, the 2019 revision brings slight changes to the standard, most notably more flexibility and less prescriptiveness, which in return adds more value to organizations and their customers.

What are the key changes to ISO 22301:2019?

A more streamlined approach to integration:

While the structure of ISO 22301 remains the same, the 22301:2019 version offers a more streamlined approach. Several sections of the standard are significantly less detailed and stripped back, which enables a smoother alignment and integration with other ISO standards, such as ISO 9001 (The Context and Scope clauses are now more closely aligned with other Standards). If you are looking to gain ISO 22301:2019 and already have an ISO in place, one of the benefits of this update is rendering a smoother integration with other systems.

Greater focus on strategy and solutions:

As discussed, one of the most notable changes to ISO 22301:2019 is the process of removing particular details, which not only helps align the standard to other ISOs but focuses on the abilities and competence of those responsible for the management system process.

ISO 22301:2019 is a broader approach that is based on strategy and solutions. Therefore, this update requires organizations to not only develop high-level strategies (as before) but also requires an ability to define risk solutions. Defining and identifying resources concerning solutions and not strategies affects the budget planning for your Business Continuity Management System (BCMS). The new standard now makes it clear that the risks and opportunities needing to be addressed relate to the effectiveness of the BCMS, as opposed to the risks of disruption.

Another change to the ISO 22301:2019 standard is the addition of a mandatory clause, which previously was implied, requiring organizations to manage the changes to their Business Continuity Management System in an intended manner. Your organization can achieve this by considering the purpose and consequences of the change, what resources you have available to adopt the change, and how this change affects the integrity of your BCMS.

More defined approach to your Business Impact Analysis:

The new standard also addresses risks and opportunities which relate to the effectiveness of your BCMS, as opposed to the risk of disruption. Conducting your business impact analysis (BIA) is now more defined and explains the relationship between unacceptable impacts, the maximum period of disruption tolerable, as well as the priority of time frames for an activity to resume.

Your organization’s Business Continuity documentation requires the effectiveness of both your business impact analysis and risk assessment plan be evaluated for their suitability and competence. Previously this was only an implicit requirement in the name of effectiveness. This requirement highlights the role your BIA and risk assessment plays within your BCMS.

Acknowledging acceptable levels of activity:

Another notable difference is the concept of minimum activity levels; this changes the need to identify minimum levels of products and services to minimum acceptable levels of activity, reflecting the minimum acceptable capacity of resumed activities – acknowledging that your organization may not get back to your prior stage.

Acknowledging the need for supply chain management:

The final key difference is something which had been criticized in the former standard but is now a stipulation in regard to outsourcing processes and supply chains – requiring your BCMS to include managing outsourced processes and supply chains, acknowledging the need to control and review a company’s supply chain as part of your BCMS. This recognizes the critical link a supply chain has to an organization’s business continuity.

Conclusion and next steps:

While ISO 22301:2019 includes key differences compared to its predecessor, there are no substantial differences to the processes that make up your BCMS. These updates have allowed the standard to be streamlined and stripped back, removing prior repetition and adding requirements and clauses that focus on certain key areas.

If you currently hold the ISO 22301:2012 certification, we anticipate a three-year transition period to ISO 22301:2019. After 30 October 2022 certificates for ISO 22301:2012 will no longer be valid. If you need help transitioning to the newest version of your Business Continuity standard IMSM can help, or if you are interested in implementing an ISO 22301:2019 BCMS then get in touch today.