New ISO BCM Standard Places Executive Governance Front and Center



  Free preview of Gartner research


The new ISO business continuity management standard's heightened focus on executive governance may make it more rigorous to implement than its predecessor, but will result in BCM program improvements for most organizations.

News Analysis


On 16 May 2012, the International Organization for Standardization (ISO) published the new 22301 standard (full name: "ISO 22301:2012 Societal security — Business continuity management systems — Requirements"). The new standard will supersede the BS 25999-2 (25999-2) standard, which will have "withdrawn" status as of November 2012. BS 25999-1, which provides business continuity management (BCM) program implementation guidance, will remain in place. (An additional standard, ISO 22313, providing specific implementation guidance on the new 22301 standard, will likely be published in late 2012 or early 2013.) 22301 is now subject to review by various countries' accreditation bodies (ABs). The U.S. PS-Prep organizational certification program is expected to adopt 22301 as a replacement for 25999-2 before that standard expires. Once the ABs finish their reviews and issue a transition statement, organizations will typically have two years to transition to 22301. All certification bodies and their certified auditors will need to qualify to conduct 22301 certification audits, and this could take until YE12.


This long-awaited standard is one of more than 100 BCM standards, frameworks, sets of best practices, laws and regulations worldwide. However, an ISO standard typically has more credibility because it is developed by a global group of domain experts, and 22301 is no exception. The ISO determined that 22301 needed to be both translatable and applicable for implementation in every country, and auditable (as is 25999-2). As a result of the rationalization across all views and other standards as input, some terminology is more business-oriented and its requirements are less ambiguous than 25999-2's.

The new standard represents an improvement over 25999-2 in areas such as disaster response and crisis communications, and more robust use of the ISO Plan — Do — Check — Act management system. It also makes executive governance the focal point of a BCM program, and this may make it more rigorous for some organizations to implement. Like 25999-2, it has a limited focus on prevention/risk mitigation actions.

National Fire Protection Association (NFPA) 1600:2010’s focus, by comparison, is primarily disaster response. It follows the U.S. National Incident Management System/Incident Command System (NIMS/ICS) framework and is limited in its recovery and restoration requirements and management system. ASIS SPC.1-2009 focuses on risk management; it includes information security, preparedness and continuity, but its risk focus means that it can take longer to implement and it is less familiar to BCM professionals.

By YE14, 25999-2 will no longer be a certification option. The choices will be 22301, NFPA 1600:2010 and ASIS SPC.1-2009. Gartner advises all organizations to choose a standard/framework for BCM program implementation. (Some industries, such as financial services in the U.S., must follow specific guidance superseding all three standards.) The result over time will be an improvement in BCM maturity for all organizations.


  • BS 25999-2-certified organizations: Use the two-year transition period to assess the differences between the standards, determine whether organizational certification is still appropriate and build a transition plan.

  • Organizations with certification under PS-Prep in progress: Determine whether 25999-2 is still appropriate for your needs within the one - year post-adoption transition period for in-process applications.

  • Organizations considering certification: Assess each standard to determine which is most appropriate for your organization's business drivers and investments .

Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

© 2012 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online





Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more