ISO 22301:2012 “Societal Security – Business Continuity Management Systems – Requirements” has no requirement for mandatory documented procedures for document control, records control, internal audit, corrective action and preventive action – unlike management systems standards that preceded it such as ISO27001 and ISO9001.
Being the International Organisation for Standards, ISO naturally has procedures for writing standards. The “Consolidated ISO Supplement – Procedures Specific to ISO” (published in 2012) includes guidance on writing requirements for management systems, including standardised content for common management systems elements such as what was known as “the mandatory documented procedures”. ISO 22301:2012 is the first management system standard to use this guidance. (It was actually based upon an earlier draft known as “Draft Guide 83”, now superseded by the Consolidated ISO Supplement.)
The old requirements for the control of documents, and of records, have been incorporated into the control of “documented information”. The distinction between documents and records has been dropped; complex records such as exercise reports, supplier evaluations or audit reports often start life as a document (which is versioned, reviewed, changed, reviewed again and eventually approved) but become a record, once approved, of what was observed. The requirement to document these procedures has made no sense for a long time in an age of automated systems, which take the user through versioning, review, approval, distribution, retention and archiving with automated forms.
ISO 22301:2012 retains the sense of controlling documents and records, but more pragmatically, less focused on the medium (which was largely paper when these requirements were first written) and more concerned with the message, the information and its control.
In practice, what this means for an organisation implementing ISO22301 is this:
- If you are implementing ISO27001 and/or ISO9001 as well, an integrated system using the old documented documents and records control procedures should be just fine for ISO22301.
- If you are implementing ISO22301 in isolation, you might take advantage of its more modern, less bureaucratic requirements for control of documented information. Refer to the ISO22301 BCMS Implementation Toolkit which contains the pre-written documentation you need in order to implement ISO22301 without over-complicating the process.
Either way, remember to make the incident management plans available to those who need them – some place other than in the building that is burning down before their eyes!
Turning to the other old “mandatory documented procedures”, both internal audit and corrective action are pretty much the same as before, with some tweaks for business continuity – and no requirement for documented procedures. The trick is to make sure there is evidence that internal audit and corrective action are processes that are consistently communicated (e.g. by managers), understood, executed and effective. Of course many organisations will still choose to document these processes, but for their own reasons – not simply because the standard says so. They will be able to empower their employees by thinking about what needs to be documented, free of the restricted thinking that come with doing it mechanically.
But the best news, perhaps, is that there is no formal requirement for preventative action. It has been replaced with Risk Management, an explicit requirement alongside Business Impact Analysis.
Risk management is required, as one would expect, in terms of risks to products, services, resources and suppliers – but also the organisation shall “determine the risks and opportunities that need to be addressed to ensure the management system can achieve its intended outcome(s).” (Clause 6.1)
In other words, it must assess the risks to the BCMS itself. For example, having selected radio communications technology for use in disruptive incidents, it must assess the risks of the radios failing, or not using the correct frequencies for interoperability.
When we revised the ISO22301 BCMS Implementation Toolkit to meet the new requirements, we left the control of documents, control of records, and internal audit alone. The old requirements suffice, and are compatible with ISO27001 and ISO9001. When both those standards have been revised and refer to “control of documented information”, we will revisit the issue. For preventative action, we suggest using an appropriate risk management process instead.
We might have added ‘perform a risk assessment upon the control of documents and records elements of the BCMS’ to assess whether the lack (or presence) of a documented procedure might be a problem. But that would have been overkill, wouldn’t it?