The new ISO business continuity management standard's heightened focus on executive governance may make it more rigorous to implement than its predecessor, but will result in BCM program improvements for most organizations.
On 16 May 2012, the International Organization for Standardization (ISO) published the new 22301 standard (full name: "ISO 22301:2012 Societal security — Business continuity management systems — Requirements"). The new standard will supersede the BS 25999-2 (25999-2) standard, which will have "withdrawn" status as of November 2012. BS 25999-1, which provides business continuity management (BCM) program implementation guidance, will remain in place. (An additional standard, ISO 22313, providing specific implementation guidance on the new 22301 standard, will likely be published in late 2012 or early 2013.) 22301 is now subject to review by various countries' accreditation bodies (ABs). The U.S. PS-Prep organizational certification program is expected to adopt 22301 as a replacement for 25999-2 before that standard expires. Once the ABs finish their reviews and issue a transition statement, organizations will typically have two years to transition to 22301. All certification bodies and their certified auditors will need to qualify to conduct 22301 certification audits, and this could take until YE12.
This long-awaited standard is one of more than 100 BCM standards, frameworks, sets of best practices, laws and regulations worldwide. However, an ISO standard typically has more credibility because it is developed by a global group of domain experts, and 22301 is no exception. The ISO determined that 22301 needed to be both translatable and applicable for implementation in every country, and auditable (as is 25999-2). As a result of the rationalization across all views and other standards as input, some terminology is more business-oriented and its requirements are less ambiguous than 25999-2's.
The new standard represents an improvement over 25999-2 in areas such as disaster response and crisis communications, and more robust use of the ISO Plan — Do — Check — Act management system. It also makes executive governance the focal point of a BCM program, and this may make it more rigorous for some organizations to implement. Like 25999-2, it has a limited focus on prevention/risk mitigation actions.
National Fire Protection Association (NFPA) 1600:2010’s focus, by comparison, is primarily disaster response. It follows the U.S. National Incident Management System/Incident Command System (NIMS/ICS) framework and is limited in its recovery and restoration requirements and management system. ASIS SPC.1-2009 focuses on risk management; it includes information security, preparedness and continuity, but its risk focus means that it can take longer to implement and it is less familiar to BCM professionals.
By YE14, 25999-2 will no longer be a certification option. The choices will be 22301, NFPA 1600:2010 and ASIS SPC.1-2009. Gartner advises all organizations to choose a standard/framework for BCM program implementation. (Some industries, such as financial services in the U.S., must follow specific guidance superseding all three standards.) The result over time will be an improvement in BCM maturity for all organizations.
BS 25999-2-certified organizations: Use the two-year transition period to assess the differences between the standards, determine whether organizational certification is still appropriate and build a transition plan.
Organizations with certification under PS-Prep in progress: Determine whether 25999-2 is still appropriate for your needs within the one - year post-adoption transition period for in-process applications.
Organizations considering certification: Assess each standard to determine which is most appropriate for your organization's business drivers and investments .
Some documents may not be available as part of your current Gartner subscription.
"Predicts 2012: Business Continuity Management Maturity Takes Two Steps Forward and One Step Back Due to Technology and Cultural Changes" — Supply chain availability requirements and the goal for better business agility and resilience will continue to be the key drivers for improved BCM and IT disaster recovery modernization. By Roberta Witty and others
"ITScore for Business Continuity Management, 2012" — All enterprises must periodically assess and improve the maturity of their BCM programs to ensure that current and future operational needs are addressed. By Roberta Witty and John Morency