CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

Do we need to make the transition from ISO 22301:2012 to the 2019 revision?

The new revision of ISO 22301 was finally published on October 31, 2019, and you are probably asking yourself whether you need to implement the whole standard all over again. Well, a new implementation is not quite necessary – although the 2019 revision did bring some changes, they are not so drastic.

Timing of complying with the new revision

blogpost-banner-27001-premium-en

As of the date this article was published, accreditation bodies haven’t released information about the transition period for the 2019 revision of ISO 22301 (this article will be updated with this information as soon as it is released by the biggest accreditation bodies).

We can assume, based on previous transition periods of other ISO management standards, like ISO 9001 and ISO 27001, that the transition period may last three years or even less, as the changes on this revision were not so big.

Main differences

“More streamlined and practical.” These words define well what this new 2019 revision of ISO 22301 brings for business continuity management.

  • Many documents are not mandatory anymore, like the Procedure for identification of applicable legal and regulatory requirements, and documents for business impact analysis and risk assessment (although it would be a good practice to use them).
  • Some requirements are less prescriptive (e.g., 4.1 – Understanding the organization and its context, and 7.4 – Communication), which means that organizations now have more freedom to adopt approaches that best fit their contexts.
  • A new clause was added, which requires planning the changes to the BCMS (clause 6.3).
  • Required resources are now identified based on continuity solutions instead of continuity strategies.

Do we need to make the transition from ISO 22301:2012 to the 2019 revision?

For more information about mandatory documents and records for the 2019 revision of ISO 22301, please read: Mandatory documents required by ISO 22301 revision 2019.

Transition or adaptation?

Most changes in the 2019 revision aimed to make the standard less complex, and only one new small clause was included (6.3), so you may be wondering what is needed for a successful transition to the 2019 revision of the standard.

In fact, this could be hardly called a “transition” at all. All the changes to be made to fill gaps are not enough to justify a project-based approach like you might use for transitions of other management standards, like was the case with the ISO 27001 2005 revision to the 2013 revision.

This situation is closer to the regular effort of maintaining your compliance with the standard, where you can plan less-complex activities to make the few smaller adaptations to achieve compliance with the new revision of the standard.

Changes put a system in place to show the usefulness of your BCMS

And, this is it. It might seem like there’s little to do (clauses like document control, performance evaluation, and continual improvement basically did not change), but that’s because:

  • Updates to the new revision were made to make the standard leaner (eliminating redundancies in the text and placing requirements in more appropriate sections).
  • Mandatory documents are reduced, although related clauses are still mandatory.
  • The ISO 22301 2012 revision was one of the first to follow the high-level structure for ISO management systems standards as defined by Annex SL, so it was already aligned with the structure of other management system standards that were published in the meantime, like ISO 9001, ISO 14001, and ISO 27001.

These changes in the standard really do make sense – they will not only bring your Business Continuity Management System (BCMS) closer to the needs of your business, but you will also have a system in place to show the usefulness of your business continuity management.

To learn more about ISO 22301 implementation, visit our Free downloads page.


About the author:

Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.