The International Standard for Business Continuity Management Systems is well and truly here, and we at Steelhenge have been busy assisting clients with their ISO 22301 implementation. Here we take you on a whistle-stop tour of the headline differences between the requirements of BS 25999-2 and ISO 22301.
Visit us at www.steelhenge.co.uk to find out more!
1. Comparison of ISO 22301 and BS 25999-2
Business Continuity Management Standards
Headline Differences
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117
2. What is in this Slide Pack?
What is ISO 22301?
Key features of ISO 22301
How does it compare with BS 25999-2?
What’s new in ISO 22301 vs BS 25999-2
Support in implementing ISO 22301
3. What is ISO 22301?
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117
4. What is ISO 22301?
• ISO 22301 is the International Standard for Business
Continuity Management Systems – Requirements
• It encapsulates international business continuity best
practice into a specification of requirements for planning
and implementing a business continuity management
system (BCMS)
• Organisations wishing to certify their BCMS will be
externally audited against the requirements in ISO
22301
5. What is ISO 22301?
• ISO 22301 is supported by a Guidance document
published as a separate Standard, ISO 22313
• Both Standards were developed by Technical
Committee 223 – Societal Security (ISO TC 223) of the
International Standards Organisation
• ISO 22301 was published May 2012
• ISO 22313 was published December 2012
6. Key Features of ISO 22301
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117
7. Performance Evaluation
Support
Context of the Organisation
Planning
Operation
Leadership
Improvement
4
5
6
7
8
9
10
Key Features of ISO 22301
• Amalgamation of National BC Standards
• Enables global organisations to apply one Standard
• Conforms to ISO’s new Management Systems 10 clause structure
(Annex SL) which will guide all future Standards:
Scope, References, Definitions
1,2
3
8. How does ISO 22301 compare to BS 25999-2?
BS 25999-2 – Withdrawn; transition period to June 2014
BS 25999-1 – Withdrawn
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117
9. ISO 22301 vs BS 25999-2
• BS 25999 was the key reference for the business
continuity content of ISO 22301
• The BC-specific requirements are mainly in Clause 8;
the other clauses relate to operational planning and
management of the system
• The BC requirements eg BIA/RA are largely the same
as in BS 25999 but with some some changes in
terminology and emphasis, such as supply chain
continuity
• 105 shall’s in 22301 vs 56 in 25999
10. ISO 22301 vs BS 25999-2
The next slide maps the clauses of ISO 22301 against the
Business Continuity Lifecycle in BS 25999-2
11. 8.2
BIA and RA
8.3
BC Strategy
Risk Treatment
8.4
Plans
8.5
Exercising & Testing
7.2 Competence
7.3 Awareness
Clauses 4, 5, 6, 7, 8.1, 9 & 10
12. What’s New in ISO 22301 vs BS 25999-2?
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117
13. What’s New in ISO 22301?
• Formal requirements (Clause 4) to define and document
the context of the organisation to ensure the BCMS is
relevant to it
• Context considers such things as defining what the
organisation does, its strategic objectives, what are the
risks and opportunities it faces, what’s its risk appetite,
what is it dependent on, who does it influence, what
regulatory requirements does it have to meet
14. What’s New in ISO 22301?
• More specific requirements (Clause 5) for leadership
and ongoing commitment to implementation of the
BCMS by senior management
• More clarity around setting realistic and measurable BC
objectives and how they will be achieved
• Much of the ‘embedding’ part of BS 25999 is met by the
competency and awareness requirements in clause 7.
15. What’s New in ISO 22301?
• A new clause (7.4) on communication with internal and
external interested parties during disruption: who, what,
when, how (testing of communication capability and
interoperability required)?
• A new clause (8.4.3) on Warning and Communication
throughout the incident lifecycle. How will an incident be
detected and monitored, how will people be told about it,
how will information and decisions be recorded
16. What’s New in ISO 22301?
• A short but significant new requirement for recovery
plans (8.4.5) detailing how activities will return from their
temporary state post-incident to normal (or new normal)
eg movement back from a recovery site to the office
• A new clause (9) on Performance Evaluation of the
whole BCMS – are we doing what we said we would do,
is it doing what we want it to do, how do we know, does
anything need updating, changing? Includes the Internal
Audit and Management Reviews requirements from BS
25999
18. What Steelhenge can do to assist you
• Advice and support in implementing ISO 22301
• Transitioning from BS 25999-2 to ISO 22301
• Gap analysis and reviews of your BCMS
requirements
• Implementing a full BCMS
• Assisting you with parts of the BCMS such as BIAs,
training and exercising
enquiries@steelhenge.co.uk | @Steelhenge | www.crisisthinking.co.uk | 0845 094 2117