Natural disasters, fires, cyber-attacks, epidemics or supply chain problems are known threats that can threaten the business activities of any organization. The best protection is to prevent possible disruptions and prepare for the moment when an emergency occurs.
On 31 October 2019, the International Organization for Standardization (ISO.org) announced the release of the updated of the international standard ISO 22301 – Business continuity management systems – Requirements. This standard defines the requirements for establishing and maintaining effective business continuity planning. The standard encourages the organization to respond more efficiently and recover more quickly from emergencies and help reduce adverse impacts.
This latest version is structured to fit other ISO management system standards. The standard does not contain new requirements, but the requirements are now more clearly formulated. The terminology has been modified for better understanding. For example, the standard now doesn’t include terms such as MAO (Maximum acceptable outage) or RPO (Recovery Point Objective). The controversial concept of “risk appetite” has also been removed.
Specific business continuity requirements are now almost entirely included in Article 8 – Operation. It sets requirements for Business Impact Assessment (BIA) and conducting a risk analysis, requires the development of business continuity strategies and solutions, as well as business continuity plans and procedures. This article also covers the requirement to develop a training program and evaluation of documentation and business continuity capabilities.
ISO 22301 now requires fewer documents and prescribed procedures. It settles much greater emphasis on goal setting, performance monitoring and metrics, as well as the links between business continuity and the strategic approach of the management.
In today’s environment, there is a growing need to address a complex range of threats that can disrupt organizations’ activities. The ability of an organization to continue to operate during disruption has never been so important, and so updating ISO 22301:2012 as an essential international standard for business continuity is also so important.
A comparison of the structure of the new and old ISO 22301 can be found in the attached PDF document.