BS25999 vs ISO 22301

Most are aware that BS25999-2 (the requirements for a business continuity management system) will be becoming an international standard in the future. The aim is to have this published by the end of 2011, but as ever, there will be a long transitional phase given by the certification bodies, probably at least 2 years after publication.

It will be “ISO 22301, Societal security — Preparedness and continuity management systems – Requirements” and is currently a “DIS” (Draft International Standard).

As with the draft ISO/IEC 27001:2013 (information security management) nothing is final yet, but it uses the 10 clause format that is to be the new common format for management system standards, as below;

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. General requirements
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

I reiterate – ISO 22301 is not final, and subject to change. However, as with the ISO 27001 Draft, requirements for procedures such as record control have disappeared (as records are now considered a type of document), similarly preventive action has been aligned with risk treatment and so the requirements for a preventive action procedure have gone too. Most of the BC requirements stay similar but are more fully and specifically defined.

Most of the familiar “Plan Do Check Act” content seems to fall at present within section 8 of the new format, which I’m personally not sure is how the format was intended to be used, but I’m sure these kinks will be ironed out as it gets closer to publication.

Please also note that BS25999-1 (the code of practice) has already been superseded by “ISO 22399:2007 – Societal security – Guideline for incident preparedness and operational continuity management” already published from ISO.

We expect the moving from BS 25999 to ISO 22301 to be similar to that experienced by organisations moving from BS 7799 to ISO 27001, as BS 25999 is the document ISO 22301 has used for its foundations. As such there is no need for organisations to hold back any BS 25999 certification plans to wait for ISO 22301. To adopt best practice in business continuity management, BS 25999 is still the recommended solution, and will serve as the best route towards compliance to ISO 22301 when it finally comes into force.

One Response

  1. Ralph O'Brien 25th March 2011